Back to News
Cyber Attack

GlassWorm Malware Uses Solana Dead Drops to Steal Crypto and Browser Data

CyberSecurityWaala 1 day ago Mar 26, 2026
GlassWorm Malware Uses Solana Dead Drops to Steal Crypto and Browser Data

Cybersecurity researchers at Aikido said the GlassWorm campaign has grown into a multi stage malware framework that can steal browser data, harvest crypto wallet secrets, and install a remote access trojan.

How the Campaign Works

In a report published last week, Aikido security researcher Ilyas Makari said the malicious code can also force install a fake Google Chrome extension that pretends to be an offline version of Google Docs. “It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo,” Makari said.

GlassWorm is not a single infected package. Aikido said the operators use rogue packages across npm, PyPI, GitHub, and the Open VSX marketplace, and in some cases they compromise maintainers’ accounts to push poisoned updates.

The campaign also uses two loader styles, including a Unicode based loader and a more traditional obfuscated preinstall script. Both routes aim for the same result, which is to quietly plant a loader on developer systems without drawing attention.

How the Loader Reaches Stage 2

Once executed, the loader waits 10 seconds and then checks whether the victim appears to be in Russia. Aikido said it compares several locale signals, including the username, language environment variables, and system locale, against Russian indicators, and it also checks time zones tied to Russia.

If the machine matches, the malware stops. It also rate limits itself by checking a local init.json file, which helps it avoid running too often on the same host. After that, the loader queries the Solana blockchain for a command server address hidden inside a transaction memo, using public RPC endpoints until one responds.

That blockchain memo acts like a dead drop. Aikido said the loader looks for a non null memo, decodes a Base64 link from it, and then pulls down a platform specific payload from 45.32.150.251.

The company said the response contains the encrypted Stage 2 payload, which the malware decrypts and runs after sending the current platform name, such as win32, linux, or darwin, to the server. This design lets the attacker change the next stage without changing the malware already sitting on developer machines.

Data Theft and Wallet Phishing

Stage 2 is the data theft layer. Aikido said it gathers credentials, cryptocurrency wallet data, and host details, then stages everything in a temporary directory, compresses it into a ZIP file, and sends it to 217.69.3.152/wall.

The payload looks through %APPDATA% and %LOCALAPPDATA% for browser wallet extensions and standalone wallet apps, and it targets dozens of wallet IDs including MetaMask, Phantom, Coinbase, Exodus, Binance, Ronin, and Keplr.

It also scrapes text files from Documents and Desktop, copies image files that may contain seed phrases, and steals developer secrets from ~/.npmrc, NPM_TOKEN, git credential stores, and Visual Studio Code storage. Aikido said it also looks for cloud and infrastructure secrets tied to AWS, Google Cloud, Azure, Docker, Kubernetes, SSH, Heroku, DigitalOcean, and Terraform.

Phishing and Remote Access

The next stage delivers two more components. One is a .NET binary designed to phish for Ledger and Trezor recovery phrases. Aikido said it uses Windows Management Instrumentation to watch for USB device insertions and opens fake wallet recovery windows when it sees a hardware wallet.

The Ledger screen shows a made up configuration error, while the Trezor screen claims firmware validation failed and asks for a 24 word recovery phrase. The binary also kills real Ledger Live processes, keeps reopening the phishing window if the victim closes it, and sends the stolen phrase to 45.150.34.158.

The second component is a WebSocket based JavaScript RAT that Aikido said can recover its own command and control settings through a distributed hash table, with a Solana memo used as a fallback.

Once active, it can start or stop an HVNC module for hidden remote desktop access, launch a SOCKS style proxy module, steal browser logs, report system information, and run attacker supplied JavaScript through eval().

It targets Chrome, Edge, Brave, Opera, Vivaldi, and Firefox, and Aikido said it can bypass Chrome’s app bound encryption protections. The malware also force installs a Chrome extension called Google Docs Offline on Windows and macOS.

That extension can collect cookies, localStorage, the active tab’s DOM tree, screenshots, keystrokes, clipboard contents, up to 5,000 browser history entries, bookmarks, and the installed extensions list.

MCP Ecosystem

Lotan Sery, a Koi security researcher, said the campaign is also moving into the MCP ecosystem by publishing npm packages that impersonate the WaterCrawl Model Context Protocol server.

“This is GlassWorm’s first confirmed move into the MCP ecosystem,” Sery said. “And given how fast AI assisted development is growing and how much trust MCP servers are given by design, this won’t be the last.”

Aikido and AFINE both advised developers to verify publisher names, package histories, and install sources carefully, especially for Open VSX extensions, npm packages, and MCP servers.

AFINE also released an open source Python scanner called glassworm hunter, and researchers Paweł Woyke and Sławomir Zakrzewski said it makes no network requests during scans and reads only local files unless the user runs its update command.

Why This Matters

For developers, the takeaway is simple. GlassWorm is not just stealing files.

It is combining supply chain abuse, blockchain based command hiding, wallet phishing, browser theft, and persistent remote access in one operation.

Aikido said that makes careful package review, account protection, and local malware scanning especially important for teams that rely on npm, PyPI, GitHub, Open VSX, or MCP servers.

#Backdoor #Data Exfiltration