A new malware attack known as GlassWorm is targeting macOS systems through compromised OpenVSX extensions. The threat emerged after a legitimate developer's account was hacked, allowing attackers to push malicious updates to four extensions. These extensions had been downloaded over 22,000 times and included innocuous tools that were compromised on January 30. The malware is designed to steal sensitive information such as passwords, cryptocurrency wallet data, and developer credentials. GlassWorm first appeared in late October and has since evolved to include remote access features and sophisticated data theft capabilities. The malware employs invisible Unicode characters to hide its code and specifically targets macOS environments by pulling instructions from Solana transaction memos. Notably, it excludes Russian-locale systems, hinting at the attacker's potential origin. The malware collects data from various sources, including browser information and macOS keychain data, and sends it back to the attackers’ servers. After discovering the compromised extensions, Socket's security team reported the issue to the Eclipse Foundation, which manages OpenVSX. The foundation confirmed the unauthorized access and took steps to revoke tokens and remove the malicious releases. While the affected extensions are now clean, developers who previously downloaded the compromised versions are advised to perform thorough system clean-ups and change their passwords and secrets to mitigate any potential damage.