GlassWorm Just Moved Into AI Territory — And Your Developer Environment Is the Target

If you have developers running npm packages, PyPI libraries, VS Code extensions, or AI-assisted tooling, stop what you're doing and read this. GlassWorm — the supply chain campaign we've been tracking since early March — just evolved again. This time it's got a hardware wallet phisher, a blockchain-based C2 that dodges traditional detection, and it's now planting malicious packages inside the Model Context Protocol ecosystem. That last part is new, and it matters.

What GlassWorm Is Doing Now

The campaign started with rogue packages across npm, PyPI, GitHub, and the Open VSX marketplace. CybrPulse has tracked 39 GlassWorm-related stories in the past 30 days alone — part of a broader supply chain surge that's seen coverage jump from 26 stories the week of February 23 to 219 in the week of March 23. The operators have been relentless, and they keep adding capabilities.

Aikido researcher Ilyas Makari published a detailed breakdown of the new attack chain this week. The highlights:

Stage 1: Malicious package drops. GlassWorm packages execute on install. The initial payload reaches out to a C2 IP (`45.32.150[.]251`) — but it doesn't resolve that address the way your firewall expects. Instead, the malware reads a Solana blockchain memo transaction. The C2 IP is embedded in the memo. No suspicious DNS query. No domain to block. Just a public blockchain lookup.

Stage 2: Data theft framework. Once live, the payload harvests credentials, profiles the system, and vacuums up cryptocurrency wallet data. Everything gets compressed into a ZIP archive and shipped to `217.69.3[.]152/wall`. The stage 2 payload then pulls down two more components.

Stage 3: Hardware wallet phishing. A .NET binary watches for USB device connections via WMI. The moment you plug in a Ledger or Trezor, it kills the real Ledger Live process and throws up a convincing phishing window — fake firmware error, fake configuration prompt, 24 numbered fields for your recovery phrase. The seed phrase goes straight to `45.150.34[.]158`. If you close the window, it reopens.

Stage 4: The RAT. A WebSocket-based JavaScript RAT connects to C2 using a public Google Calendar event URL as a dead drop — another layer of evasion. From there, attackers can run HVNC remote desktop sessions, tunnel traffic via WebRTC SOCKS proxy, steal credentials from Chrome, Edge, Brave, Opera, Vivaldi, and Firefox (bypassing Chrome's app-bound encryption), and execute arbitrary JavaScript via `eval()`.

The RAT also force-installs a Chrome extension masquerading as "Google Docs Offline" on both Windows and macOS. That extension is aggressive: it pulls cookies, session tokens, DOM trees, screenshots, keystrokes, clipboard content, browser history (up to 5,000 entries), and the full installed extensions list. It comes pre-configured to surveil Bybit — specifically watching for `secure-token` and `deviceid` cookies and firing them to a webhook the moment it detects them.

The MCP Move

This is the detail that changes the threat model. GlassWorm has now published malicious npm packages impersonating the WaterCrawl Model Context Protocol server (`@iflow-mcp/watercrawl-watercrawl-mcp`). This is the campaign's first confirmed entry into the MCP ecosystem.

Koi researcher Lotan Sery put it plainly: "Given how fast AI-assisted development is growing — and how much trust MCP servers are given by design — this won't be the last."

MCP servers run with elevated trust by design. Developers integrate them into AI workflows and expect them to have access to filesystem, shell, and external services. A malicious MCP package is a nearly ideal initial access vector against a developer machine. This is not theoretical. It's already happening.

What Defenders Need to Do

The operators are avoiding Russian locale systems — consistent with Eastern European or CIS-adjacent origin — which won't help the rest of the world much.

Here's the immediate checklist:

  1. Scan developer machines now. Polish security firm AFINE released `glassworm-hunter`, an open-source Python scanner that checks for known GlassWorm IOCs using only local file reads — no network calls, no telemetry. Run it.
  1. Block the known C2 IPs. `45.32.150[.]251`, `217.69.3[.]152`, `45.150.34[.]158`. These are live infrastructure. Add them to your blocklists.
  1. Audit MCP server installations. Anything installed from npm in the MCP space needs verification — publisher identity, package history, download counts. The WaterCrawl impersonation is one package; assume there are others.
  1. Warn developers about hardware wallet safety. Any environment that could be compromised should never be used to interact with a hardware wallet. The WMI-based USB watcher is a real threat.
  1. Review Chrome extension deployments. The "Google Docs Offline" impersonation targets both Windows and macOS. Audit installed extensions across developer systems.
  1. Treat blockchain-based C2 as a detection gap. Traditional domain blocklists and DNS-based detections won't catch Solana memo lookups or Google Calendar dead drops. If your tooling isn't inspecting for that, you have a blind spot.

Supply chain attack coverage in CybrPulse feeds has been accelerating all month. GlassWorm is one campaign among many, but it's the most technically sophisticated we've tracked this cycle. The MCP expansion is the kind of pivot that historically signals a threat actor testing new territory before scaling up. Watch this space.


*CybrPulse tracks thousands of security news sources daily. All data referenced reflects our ingested feed coverage. IOCs sourced from Aikido Security and Koi Research.*

Read more