Fake Chrome Extension May Be Spying on You!
GlassWorm: The Multi-Stage Supply Chain RAT Hiding in Plain Sight
Imagine running npm install on a trusted package and, within hours, every credential on the machine is gone. Browser sessions hijacked. Crypto wallets drained. A persistent backdoor phoning home through the Solana blockchain. That is exactly what GlassWorm does, and it is active right now.
This is not a theoretical exercise. GlassWorm is a multi-stage attack framework targeting software developers through poisoned packages on npm, PyPI, GitHub, and the OpenVSX marketplace. It moves from initial compromise to full system takeover across three distinct stages, each more dangerous than the last.
How GlassWorm Gets In
The initial infection vector is the software supply chain itself. The threat actor operates on two parallel tracks: publishing entirely new malicious packages and compromising the accounts of legitimate maintainers to push trojanized updates to trusted projects. This dual approach has been tracked across hundreds of compromised GitHub repositories and popular React packages on npm.
Two loader variants have been observed. The first uses invisible Unicode characters to hide malicious code, a technique that defeats visual code review entirely. The second takes a more conventional route via an obfuscated preinstall script. Both variants converge on the same execution logic once they reach the victim machine.
Anti-Analysis and Geofencing
Before doing anything else, the loader checks whether the victim is located in Russia. It examines five locale signals, including the system username, LANG environment variable, and Intl locale settings, against a Russian locale pattern. It also checks the system timezone and UTC offset against a hardcoded list spanning Europe/Moscow through Asia/Anadyr. If a Russian locale is detected, execution halts. This CIS-region exclusion is a common pattern in financially motivated malware operations and offers a strong clue about the operator’s geography.
A rate-limiting mechanism also prevents repeated execution. The loader checks a timestamp file at ~/init.json (or %USERPROFILE%\init.json on Windows). If the file was written less than two hours ago, the loader goes dormant.
The Blockchain Dead Drop
Here is where GlassWorm gets genuinely clever. Rather than hardcoding a command-and-control URL that defenders can block or take down, the loader queries the Solana blockchain for its Stage 2 address. The operator stores the C2 URL in the memo field of a Solana transaction, which is permanent, publicly visible on-chain, and hosted on infrastructure that no single party can shut down.
The loader cycles through nine public Solana RPC endpoints until one responds, then polls in a 10-second loop until it finds a transaction with a non-null memo. The memo contains a Base64-encoded URL pointing to the Stage 2 payload server. The operator can rotate this URL at any time simply by sending a new Solana transaction. No package update is required. No infrastructure needs to be redeployed.
Two Solana wallet addresses have been observed across the loader variants, confirming that the Unicode loader and the obfuscated preinstall loader are part of the same operation.
Stage 2: Credential Harvesting at Scale
Once Stage 2 lands, the payload becomes an aggressive data-theft framework. It targets 71 browser extension wallet IDs covering MetaMask, Phantom, Coinbase, Exodus, Binance, Ronin, Keplr, and others. It also sweeps standalone wallet application directories and collects .txt files and images from Documents and Desktop folders whose filenames suggest seed phrases or crypto holdings.
Developer credentials receive equally thorough treatment. The payload reads .npmrc files and NPM_TOKEN environment variables, validates stolen npm tokens in real time against the npm registry, and extracts tokens via the git credential command and VS Code internal storage. Cloud provider credentials for AWS, GCP, Azure, Docker, Kubernetes, SSH keys, Heroku, DigitalOcean, and Terraform are also copied.
Everything is staged under %TEMP%\hJxPxpHP, zipped, and exfiltrated via a POST request to 217.69.3[.]152/wall.
Stage 3: The Persistent RAT
Stage 3 downloads two components. The first is a .NET phishing binary that targets users with physical Ledger or Trezor hardware wallets. It monitors for USB device connections via a WMI event subscription. When a hardware wallet is plugged in, the binary launches a convincing phishing window that requests the 24-word recovery phrase. A background loop kills any real Ledger Live processes at one-second intervals and prevents the victim from closing the phishing window without entering credentials. Stolen seed phrases are transmitted to 45.150.34[.]158.
The second component is a WebSocket-based RAT saved as %APPDATA%\QtCvyfVWKH\index.js. Persistence is achieved through both a scheduled task (UpdateApp, running with highest privileges) and a Run registry key that executes a PowerShell launcher. The RAT hooks SIGINT, SIGTERM, SIGQUIT, and several other signals. If the process is killed, it schedules a re-download and restart of the payload.
DHT-Based C2 and Fallback Chains
The RAT resolves its primary C2 through a distributed hash table lookup for a pinned public key, bootstrapping through dht.libtorrent.org, router.bittorrent.com, and router.utorrent.com. If the DHT lookup fails, it falls back to the Solana memo dead-drop to fetch a new IP address. This layered resilience makes traditional network-based blocking extremely difficult. Defenders cannot simply sinkhole a domain or block a single IP.
The recovered infrastructure includes 217.69.0[.]159:10000 as the DHT bootstrap node, 45.32.150[.]251 as the WebSocket C2, and 217.69.3[.]152:80 as the exfiltration server.
The Fake Chrome Extension
Deep in Stage 3, the RAT force-installs a Chrome extension masquerading as “Google Docs Offline” (version 1.95.1). This extension resolves its own C2 from a separate Solana wallet, registers as an agent via a POST request, and begins polling for commands at randomized intervals between 5 and 30 seconds.
The extension’s capabilities are extensive. It can capture the full DOM tree of the active tab, dump all cookies (optionally filtered by domain), extract localStorage key-value pairs, take screenshots, read clipboard contents, pull up to 5,000 browser history entries, export the full bookmark tree, fingerprint the browser and hardware, and run a keylogger that hooks keydown, keyup, keypress, input, change, focus, and blur events across all pages.
It also performs targeted session surveillance. The extension ships with Bybit pre-configured as a monitored target, watching for authentication cookies and firing webhooks when they are detected.
Why This Matters Beyond Crypto
The current targeting skews heavily toward developers with cryptocurrency assets, but that framing undersells the threat. The stolen npm tokens, git credentials, cloud provider secrets, and VS Code data create the foundation for broader supply chain attacks that can reach far beyond the original victim. A compromised npm token, for example, can be used to push malicious code to packages consumed by thousands of downstream applications.
The SOCKS proxy capability in the RAT compounds this risk. It turns the victim machine into a proxy node, allowing the threat actor to route other attacks through the victim’s IP address.
Detection Priorities
Defenders should focus on several indicators. Check for the existence of %APPDATA%\QtCvyfVWKH\index.js and the PowerShell launcher at %LOCALAPPDATA%\QtCvyfVWKH\AghzgY.ps1. Look for the scheduled task named UpdateApp and the Run registry keys UpdateApp and UpdateLedger under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
On macOS, the malicious Chrome extension installs to /Library/Application Support/Google/Chrome/myextension/. On Windows, look for the extension directory named “jucku” under the Chrome local data path.
Audit browser extensions regularly. A duplicate “Google Docs Offline” entry, especially at version 1.95.1, is a strong signal. Monitor for outbound connections to the four IP addresses published in the IOCs. Pin package versions. Treat sudden maintainer changes or large code rewrites in minor releases as review triggers.
GlassWorm is a reminder that the software supply chain is now a primary attack surface. The combination of blockchain-based C2, DHT resilience, and layered persistence makes this threat significantly harder to disrupt than a conventional RAT. The developers it targets today are the entry point to the companies and users it compromises tomorrow.
Sources
Malwarebytes, “GlassWorm attack installs fake browser extension for surveillance,” https://www.malwarebytes.com/blog/news/2026/03/glassworm-attack-installs-fake-browser-extension-for-surveillance
Aikido Security, “GlassWorm Hides a RAT Inside a Malicious Chrome Extension,” March 18, 2026. https://www.aikido.dev/blog/glassworm-chrome-extension-rat