GlassWorm has returned with a dangerous new evolution. The notorious self-propagating malware, which first surfaced in October as an invisible Unicode-based threat in VS Code extensions, has completed a significant platform pivot to macOS with 50,000 downloads and a fully operational infrastructure.
Security researchers have identified three malicious extensions on the Open VSX marketplace linked to the actor through shared command-and-control infrastructure: the IP address 45.32.151.157, which first appeared in the threat actor’s third wave.
This fourth wave represents a critical escalation. Rather than relying on the invisible Unicode obfuscation techniques documented in previous campaigns, GlassWorm has adopted AES-256-CBC encrypted payloads embedded in compiled JavaScript.
The encryption employs a hardcoded key shared across all three malicious extensions a signature confirming a single coordinated threat actor.
More insidiously, the malware incorporates a 15-minute execution delay, a deliberate evasion technique designed to bypass automated sandbox environments that typically timeout after five minutes.
By the time a developer’s system completes installation, the legitimate security scanning window has closed.
VS Code Marketplace Abuse
The most significant change is targeting. Every previous GlassWorm malware wave exclusively targeted Windows systems. Wave 4 exclusively targets macOS.
The shift is strategic: developers, particularly those in cryptocurrency, Web3, and startup ecosystems GlassWorm’s primary victims predominantly use Apple devices.
The macOS payload demonstrates a sophisticated platform-specific implementation, leveraging AppleScript for execution instead of PowerShell, LaunchAgents for persistence instead of Registry keys, and direct theft of the Keychain database rather than relying on credential managers.
GlassWorm’s command-and-control infrastructure continues evolving. The actor deployed a new Solana wallet address (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC) distinct from previous campaigns, though legacy wallets remain active.
The blockchain-based C2 mechanism persists the malware queries Solana transaction memos containing base64-encoded URLs to retrieve current C2 endpoints, a technique designed to be decentralized, immutable, and resistant to takedown efforts.
Infrastructure tracking reveals shifts between 217.69.11.60 (November 27) and 45.32.151.157 (December), with a new exfiltration server at 45.32.150.251.
The most alarming capability addition is hardware wallet trojanziation. Previous waves focused on credential theft and backdoor installation. Wave 4 targets Ledger Live and Trezor Suite applications specifically, attempting to replace legitimate wallet software with compromised versions.
Mitigations
If successful, attackers could display fake receiving addresses, modify transaction details, capture seed phrases, and intercept device communication effectively compromising hardware wallets despite their air-gapped security model.
From invisible Unicode to Rust binaries to encrypted JavaScript; from Windows to macOS; from credential theft to hardware wallet trojanziation.
As of December 29, 2025, the C2 endpoints for trojanized wallet payloads return empty files, suggesting the attacker remains in preparation phases.
The malware includes file-size validation preventing installations smaller than 1000 bytes, a defensive measure indicating sophisticated development practices. The capability exists; only payloads await deployment.
GlassWorm’s evolution pattern demonstrates an adaptive adversary reading published security research and systematically upgrading tooling in response.
Each documented exposure triggers tactical evolution while maintaining strategic infrastructure. The threat remains active, evolving, and fully operational.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.