The article reports a fourth wave of the “GlassWorm” supply-chain campaign targeting macOS developers via malicious VS Code/OpenVSX extensions. Researchers at Koi Security found three OpenVSX listings that hide an AES-256-CBC–encrypted payload inside compiled JavaScript and delay execution by about 15 minutes to evade sandbox analysis. This wave shifts tactics for macOS: it uses AppleScript rather than PowerShell and establishes persistence via LaunchAgents, while keeping a Solana blockchain-based command-and-control mechanism seen in earlier waves.

Once running, GlassWorm aims to steal high-value developer and crypto assets: it targets credentials/tokens for GitHub, npm, and OpenVSX, harvests browser data, and now also attempts to grab macOS Keychain passwords. It additionally checks for popular hardware-wallet apps (such as Ledger Live and Trezor Suite) and tries to replace them with trojanized versions, although Koi Security notes that the wallet-replacement payloads currently return empty files—suggesting the attacker’s infrastructure may still be “warming up.” The recommended response is to remove the extensions immediately, reset relevant passwords, revoke tokens, and validate the host for compromise (up to reinstalling the system if needed), while treating download counts as potentially manipulated and not a sign of legitimacy.

Source: https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/