Cybersecurity researchers have uncovered a new campaign attributed to the threat actor group known as GlassWorm. The operation involves the distribution of 24 malicious browser extensions that impersonate popular developer tools and utilities. These extensions were designed to steal sensitive information from infected systems.

The malicious extensions masqueraded as legitimate tools such as JSON formatters, API clients, and code beautifiers to lure software developers and IT professionals into installing them. Once installed, the extensions executed malicious code in the background, operating without the user’s knowledge.

Campaign Modus Operandi

The primary function of the GlassWorm extensions was credential and data theft. The malware was coded to capture form data from web pages, specifically targeting login fields to harvest usernames and passwords. Furthermore, the extensions actively exfiltrated browser cookies and session tokens, allowing the attackers to hijack active user sessions for various online services, including code repositories and project management platforms.

Analysis of the extensions revealed that all collected data was encrypted and transmitted to a command-and-control (C2) server infrastructure operated by the GlassWorm group. The extensions also possessed the capability to inject custom JavaScript into visited web pages, enabling the attackers to modify page content or display phishing prompts.

Distribution and Mitigation

The distribution of these malicious extensions occurred primarily through third-party software repositories and targeted posts on developer-focused social media platforms. The attackers leveraged these channels to promote the extensions as useful productivity tools. The extensions successfully bypassed initial security screenings by delaying the execution of their malicious payloads until after installation.

Upon discovery, security firms reported the extensions to the relevant authorities and platform owners for takedown. Users of developer-focused browser extensions are advised to download tools only from official and verified web stores and to scrutinize the permissions requested by any new extension before installation.

Source: https://thehackernews.com/2025/12/glassworm-returns-with-24-malicious.html