CATEGORIES
home IT Infrastructure Security

Nasty GlassWorm Malware Pivots From Windows To Target Mac Users

by Alan VelascoFriday, January 02, 2026, 01:21 PM EDT
macos glassworm malware hero
Security firm Koi has been busy lately. Its researchers have not only uncovered a sprawling spyware campaign, but they're also keeping tabs on the ever-evolving malware dubbed GlassWorm. In its latest form, GlassWorm has shifted from exclusively targeting Windows users to targeting macOS users as well, and it has a dangerous new trick up its sleeve to boot.

GlassWorm spreads by inserting malicious code into legitimate VS Code extensions. The threat actor behind the malware uses special Unicode characters that generate no visual output, meaning that a developer would have a difficult time spotting anything suspicious harbored in their code base.

After making the switch to target macOS, the threat actors behind GlassWorm have shown an impressive skill set. This latest incarnation is handcrafted to take advantage of the macOS environment. It uses AppleScript to stealthily execute code, ensures persistence with the use of LaunchAgents, and opportunistically steals data stored in the Keychain.

macos glassworm malware body

So why has this threat actor made this change? The security researchers chalk it up to the kinds of data the attackers want most: cryptocurrency. Macs are commonly used by developers in various industries, including web3 and crypto startups, making macOS fertile ground worth going after.

What makes it particularly potent this time around is that Glasswork is now capable of attacking hardware wallets. GlassWorm is able to replace the applications used to manage these wallets with a trojanized version of its own, bypassing the security protections offered by hardware wallets. For now, this functionality is merely present and hasn’t been activated, but it’s just a matter of time until it’s completely enabled.

Malware such as this one is insidious because it leverages legitimate extensions to deliver payloads, making it difficult for users to avoid. The best advice is to limit how many extensions you download to minimize the risk of a shady extension infecting your systems.
Tags:  Malware, cybersecurity, macos
AV

Alan Velasco

Opinions and content posted by HotHardware contributors are their own.
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment