GlassWorm Supply Chain Attack Abuses Trusted Open VSX Extensions to Steal Developer Secrets
A supply chain attack tracked as GlassWorm compromised the Open VSX Registry after threat actors gained unauthorized access to the publishing credentials of a legitimate developer account, oorzc. On January 30, 2026, malicious updates were pushed to four long-standing Open VSX extensions with a combined install base exceeding 22,000 downloads, embedding a staged loader that decrypts and executes payloads at runtime. The loader performs environment checks to avoid execution on Russian-locale systems, resolves command-and-control instructions from Solana transaction memos, and dynamically retrieves follow-on code, reducing reliance on static infrastructure and complicating detection and takedown. Unlike earlier GlassWorm activity that relied on typosquatting and cloned tools, this campaign abused an established publisher identity with a multi-year history, significantly increasing user trust and the potential impact across developer ecosystems. The downstream payloads observed in this incident are macOS-focused information stealers that establish persistence via LaunchAgents and aggressively harvest high-value data, including browser cookies and login databases, cryptocurrency wallets, macOS keychain material, Apple Notes data, and sensitive developer credentials such as AWS keys, SSH private keys, npm tokens, and GitHub authentication artifacts. This capability extends the risk beyond individual workstations, enabling cloud account compromise, CI/CD abuse, and broader supply-chain impact through stolen developer access. Following disclosure, the Eclipse Foundation’s Open VSX security team revoked the compromised publisher tokens, removed the malicious releases, and fully delisted one extension due to repeated abuse. Organizations and developers who installed affected versions should treat this as a credential exposure event, remove the extensions, inspect systems for persistence artifacts, and immediately rotate all developer, cloud, and source-control secrets.
ClawHavoc Campaign Floods OpenClaw Marketplace with Malware-Laced Skills
Security researchers uncovered a large-scale supply chain campaign, dubbed ClawHavoc, that seeded the OpenClaw (formerly Moltbot/ClawdBot) ecosystem with hundreds of malicious skills designed to trick users into installing malware. After auditing all 2,857 skills on ClawHub, Koi Security identified 341 malicious packages, 335 of which were attributed to a single coordinated operation, making this one of the largest known attacks against an AI assistant skill marketplace to date. The malicious skills were disguised as high-demand utilities such as crypto wallet tools, Polymarket bots, YouTube helpers, Google Workspace integrations, and auto-updaters, often relying on typosquatting and mass cloning to scale distribution. Rather than embedding malware directly in the skill code, most samples used documentation-based social engineering, instructing users to install fake “prerequisite” tools that delivered password-protected archives or obfuscated shell scripts to evade security scanning. Technical analysis shows that the campaign primarily delivered macOS information stealers, including variants of Atomic Stealer (AMOS) and NovaStealer, capable of harvesting browser credentials, cryptocurrency wallets, SSH keys, API tokens, cloud credentials, and sensitive local files. Several outlier skills embedded active backdoors directly into otherwise functional code, triggering reverse shells during normal usage, while others exfiltrated OpenClaw configuration files containing secrets. The attackers systematically targeted OpenClaw’s deepest trust boundary: skills that bots install and execute with broad access to local systems, email, calendars, and user data. Users should treat skill installation as equivalent to running untrusted code, isolate assistants in restricted environments, and avoid following external “prerequisite” instructions unless independently verified.
HoneyMyte Expands CoolClient and Deploys Multi-Tool Stealer Ecosystem Across Asia and Europe
The HoneyMyte APT group, also tracked as Mustang Panda and Bronze President, continues to expand its cyber-espionage operations across Asia and parts of Europe, with Southeast Asia remaining the most heavily targeted region. Recent investigations show the group significantly upgraded its CoolClient backdoor throughout 2025, deploying it alongside established malware such as PlugX, ToneShell, QReverse, and LuminousMoth, primarily against government entities. The latest CoolClient variants are delivered via encrypted loaders and DLL sideloading using legitimate signed software, and introduce new surveillance capabilities, including clipboard monitoring and HTTP proxy credential theft, signaling a shift toward deeper, user-centric data collection rather than traditional document-only espionage. In parallel, HoneyMyte has operationalized multiple browser credential stealers targeting Chrome, Edge, and other Chromium-based browsers, as well as PowerShell and batch scripts designed for large-scale system reconnaissance and document exfiltration. These tools extract saved login credentials using Windows DPAPI, harvest cookies and proxy authentication data, and exfiltrate compressed archives through FTP servers and public file-sharing services such as Google Drive and Pixeldrain. The coordinated use of backdoors, modular plugins, credential stealers, and automated collection scripts demonstrates a mature post-exploitation framework focused on persistence, lateral intelligence gathering, and long-term access within high-value government environments, underscoring the need for robust endpoint monitoring, credential hygiene, and detection of DLL sideloading and abnormal data exfiltration patterns.
Anatsa Banking Trojan Dropper Discovered on Google Play Store
ThreatLabz has identified a malicious Android application on the Google Play Store masquerading as a legitimate document reader that functioned as a dropper for the Anatsa banking trojan. The app accumulated 50,000+ downloads before removal, highlighting its ability to bypass Google Play’s security controls by presenting benign functionality while quietly staging a secondary payload. Once installed, the application leveraged a multi-stage infection chain, contacting attacker-controlled infrastructure to download and deploy Anatsa, allowing the operators to delay delivery and dynamically adjust payloads to evade detection. Anatsa is a long-running, highly capable banking trojan active since at least 2019, known for targeting financial institutions across Europe, the Middle East, and Asia. Its capabilities include credential harvesting via overlay attacks, SMS interception, real-time activity monitoring, and automated transaction fraud that can execute without user interaction. The discovery reinforces a persistent trend where threat actors abuse trusted app marketplaces and common utility themes to maximize reach, using obfuscation and staged delivery to remain resident long enough to compromise large victim pools. Users should immediately uninstall the affected application, perform a full mobile security scan, monitor banking accounts for fraudulent activity, and ensure Google Play Protect and the Android OS are fully updated, while organizations should treat this as another indicator that official app stores are not a sufficient security control on their own.
