In a major escalation of cross-platform threats, the GlassWorm malware campaign has launched its fourth and most dangerous wave yet—this time focusing exclusively on macOS users. First reported by security researcher Koi Security, this latest variant leverages malicious Visual Studio Code (VS Code) extensions hosted on the OpenVSX registry to silently infiltrate developer machines, steal authentication credentials, and even replace legitimate cryptocurrency wallet applications with custom-built trojanized versions.
While earlier GlassWorm waves primarily targeted Windows systems using obfuscated Unicode characters and Rust-based payloads, this macOS-focused attack marks a turning point—proving that Mac users are no longer “safe by default.” With over 50,000 reported downloads (many artificially inflated to boost legitimacy), the campaign poses a serious threat to developers, blockchain engineers, and anyone managing crypto assets on Apple devices.
How the Attack Works: From Extension to Full Compromise
The infection begins when a developer installs one of three malicious extensions from OpenVSX:
- studio-velte-distributor.pro-svelte-extension
- cudra-production.vsce-prettier-pro
- Puccin-development.full-access-catppuccin-pro-extension
At first glance, these mimic popular open-source tools—complete with professional-looking icons and descriptions. But beneath the surface, they contain AES-256-CBC–encrypted JavaScript payloads designed to evade static analysis.
Crucially, the malware waits 15 full minutes after installation before executing—long enough to bypass most automated security sandboxes that terminate scans after 5–10 minutes. Only then does it decrypt and run its malicious code via eval().
javascript
setTimeout(() => {
const decrypted = crypto.createDecipheriv(‘aes-256-cbc’, key, iv);
let payload = decrypted.update(encryptedData, ‘base64’, ‘utf8’);
payload += decrypted.final(‘utf8’);
eval(payload);
}, 900000); // 15 minutes in milliseconds
This delayed execution makes detection extremely difficult—especially in fast-paced development environments where developers frequently install new tools.
macOS-Specific Exploitation: Beyond Simple Payloads
Once active, GlassWorm fully embraces macOS-native capabilities to maximize stealth and persistence:
While the current trojanized wallet apps appear non-functional (returning empty files), researchers confirm the delivery mechanism is fully operational. This suggests attackers are preparing to deploy live credential-stealing payloads imminently—potentially harvesting seed phrases and private keys in real time.
Exfiltrated data—including browser cookies, NPM tokens, GitHub credentials, and crypto extension secrets—is compressed and sent to an exfiltration server at 45.32.150.251/p2p.
Decentralized C2: Command & Control via Solana Blockchain
One of the most innovative—and concerning—aspects of this GlassWorm wave is its use of the Solana blockchain for command-and-control (C2) communications.
Instead of relying on traditional domains or IP addresses (which can be quickly blocked or seized), the malware reads Base64-encoded C2 URLs hidden inside Solana transaction memos. This decentralized infrastructure makes takedowns nearly impossible, as there’s no single server or domain to shut down.
This technique—seen in only a handful of advanced campaigns—signals that GlassWorm’s operators are highly sophisticated and likely tied to financially motivated cybercrime groups. The same C2 IP (45.32.151.157) was used in Wave 3, confirming a single, persistent threat actor behind the entire campaign.
Immediate Steps for Mac Users & Developers
If you’ve ever installed VS Code extensions from OpenVSX—especially from unverified publishers—take these actions immediately:
- Uninstall the three flagged extensions listed above
- Revoke all personal access tokens for GitHub, GitLab, NPM, and crypto platforms
- Change passwords for your email, cloud accounts, and crypto exchanges
- Check for suspicious LaunchAgents:
bash
ls ~/Library/LaunchAgents/
Delete any unfamiliar .plist files
5. Reinstall Ledger Live or Trezor Suite only from official websites—never from third-party links
6. Monitor blockchain activity on your Solana and Ethereum wallets for unauthorized transfers
Important: OpenVSX now shows warnings for unverified publishers—but many users installed these extensions before the alerts appeared. Don’t assume you’re safe based on current UI cues alone.
Long-Term Prevention Strategies
To reduce future risk:
- Prefer the official VS Code Marketplace (Microsoft’s store) over OpenVSX for extensions
- Enable macOS Gatekeeper and require app notarization
- Use a non-admin user account for daily development work
- Deploy network monitoring tools that can detect unusual Solana or IP-based C2 traffic
- Conduct quarterly audits of installed extensions and system persistence mechanisms
Final Thoughts: The End of “Mac Immunity”?
GlassWorm’s pivot to macOS shatters the long-held myth that Apple devices are inherently secure against malware. With developers increasingly targeted for their access to high-value credentials and crypto assets, platform-agnostic threats are the new norm.
As Koi Security warns: “The infrastructure is ready. The only thing missing is the final payload.”
For Mac users in the blockchain and developer communities, proactive defense isn’t optional—it’s essential. Audit your tools today. Your digital keys could depend on it.
