Threat researchers with various vendors for the past year have been tracking the efforts of a bad actor dubbed GlassWorm known for dropping malicious extensions in code registries like npm, Open VSX, PyPI, and Microsoft’s Visual Studio Marketplace with the aim of stealing secrets and cryptocurrency.

This month, threat researchers wrote about a resurgence in activity by an evolved GlassWorm that includes new features and capabilities, including the ability to drop a remote access trojan (RAT), a focus on Model Context Protocol (MCP) servers, and what Socket analysts called a “significant escalation in how it spreads through Open VSX.” These join other features already known about GlassWorm, including the use of hidden Unicode characters to compromise GitHub repositories.

Aikido Security researchers found a multi-stage framework that installs a persistent RAT and another capability to force install a Chrome extension dressed to appear as Google Docs Offline.

GlassWorm now “logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo,” Aikido malware researcher Ilyas Makari wrote in a report.

A Koi security researcher wrote that in this fifth wave of GlassWorm attacks, the threat actor is using its invisible Unicode tactic with MCP servers, along with GitHub repositories and hundreds of extensions.

For their part, Socket researchers wrote about how the malware now moves through Open VSX.

Same Tradecraft, Better Evasion

“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established,” the Socket researchers wrote.

The bad actor has kept the core GlassWorm tradecraft, but improves the malware’s ability to evade detection, they wrote.

“The newer variants still use staged JavaScript execution, Russian locale/timezone geofencing, Solana transaction memos as dead drops, and in-memory follow-on code execution, but they now rotate infrastructure and loader logic more aggressively,” the Socket researchers wrote.

Finding the RAT

The first stage of the latest GlassWorm variant seen by Aikido is similar to previous ones, according to Makari. The threat actor publishes malicious packages across npm, PyPI, GitHub, and Open VSX, both creating new packages and compromising maintainer accounts to push malicious versions of legitimate projects.

The variants either use an invisible Unicode loader – a technique researchers outlined last year – or a typical obfuscated preinstall script, and both share the same Solana 2 blockchain command-and-control (C2) beacon.

“The loader polls in a 10-second loop until it finds a transaction with a non-null memo field,” he wrote. “Solana’s memo feature was designed to add annotations to transactions, but here it functions as a covert dead-drop. The memos are permanent, publicly visible on-chain, and stored on infrastructure that cannot be taken down by any single party.”

The payload used in the second stage delivers a framework used to harvest credentials, steal crypto wallets, exfiltrate cloud secrets, and profile hosts.

For the third stage, the malware downloads a phishing binary for crypto wallets and the RAT that can steal browser credentials, bypass Chrome app encryption, deploy HVNC modules for remote access, and install a malicious browser extension.

Turning to MCP Servers

Koi security researcher Lotan Sery wrote that GlassWorm has “crawled into a place that should worry every developer building with AI tools: MCP servers.”

Koi’s risk engine pointed to a new npm package that initially looked to researchers as a legitimate MCP server – proper TypeScript, real dependencies, and a valid repository link – but eventually they found the GlassWorm signature: the same decoder, invisible Unicode variation selectors, and the same technique used in previous waves.

MCP servers are used to connect AI models to external data sources, tools, and applications, and have become a worry of many security pros.

“A compromised MCP server doesn’t need to hunt for credentials,” Sery wrote, noting that five versions, 1.3.0 through 1.3.4, in a single day. “They’re handed to it. That’s the whole point.”

Researchers found that the attacker forked the legitimate watercrawl-mcp repository to GitHub, injected the invisible payload, and published it under a new @iflow-mcp scope, a namespace created for the attack.

“This is GlassWorm’s first confirmed move into the MCP ecosystem,” she wrote. “And given how fast AI-assisted development is growing – and how much trust MCP servers are given by design – this won’t be the last.”

Malicious Open VSX Extensions

Socket researchers said that since January 31, they’ve identified at least 72 malicious extensions linked to the GlassWorm campaign, though Open VSX has since removed most of them. The malware has continued to evolve since the end of January.

That includes updating components most likely to be exposed, rotating the Solana infrastructure, adding C2 IPs, hardening the loader with heavier obfuscation, and shifting decryption material from the extension to operator-controlled HTTP response headers.

“GlassWorm is moving toward less visible, more resilient delivery: later-version manifest changes, transitive installation paths, heavier obfuscation, rotating Solana wallets and infrastructure, and threat actor-controlled decryption material,” they wrote. “Defenders should expect more extensions that look benign at publication, then become malicious through updates that add extensionPack or extensionDependencies. That model is likely to spread because it hides the real malicious component behind normal extension-management behavior.”