Malicious Mac extensions steal crypto wallets and passwords

Mac users often presume they're safer than everyone else, particularly erstwhile they instrumentality to authoritative app stores and trusted tools.

That consciousness of information is precisely what attackers similar to exploit. Security researchers person present uncovered a caller question of malicious Mac extensions that don't conscionable spy connected you, but tin besides bargain cryptocurrency wallet data, passwords and adjacent Keychain credentials. What makes this run particularly concerning is wherever the malware was found, wrong morganatic hold marketplaces that galore radical spot by default.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Once active, GlassWorm targets passwords, crypto wallets, and adjacent your macOS Keychain without evident informing signs. (Cyberguy.com)

How malicious Mac extensions slipped into trusted stores

Security researchers astatine Koi Security uncovered a caller question of the GlassWorm malware hiding wrong extensions for codification editors similar Visual Studio Code (via Bleeping Computer). If you're not acquainted with codification editors, they're tools developers usage to constitute and edit code, akin to however you mightiness usage Google Docs oregon Microsoft Word to edit text. These malicious extensions appeared connected some the Microsoft Visual Studio Marketplace and OpenVSX, platforms wide utilized by developers and powerfulness users.

FAKE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE

At archetypal glance, the extensions looked harmless. They promised fashionable features similar codification formatting, themes oregon productivity tools. Once installed, though, they softly ran malicious codification successful the background. Earlier versions of GlassWorm relied connected hidden substance tricks to enactment invisible. The latest question goes further by encrypting its malicious codification and delaying execution, making it harder for automated information checks to catch.

Even though this run is described arsenic targeting developers, you don't request to constitute codification to beryllium astatine risk. If you usage a Mac, instal extensions oregon store passwords oregon cryptocurrency connected your system, this menace inactive applies to you.

What GlassWorm does erstwhile it's connected your Mac

Once active, GlassWorm goes aft immoderate of the astir delicate information connected your device. It attempts to bargain login credentials tied to platforms similar GitHub and npm, but it doesn't halt there. The malware besides targets browser-based cryptocurrency wallets and present tries to entree your macOS Keychain, wherever galore saved passwords are stored.

Researchers besides recovered that GlassWorm checks whether hardware wallet apps similar Ledger Live oregon Trezor Suite are installed. If they are, the malware attempts to regenerate them with a compromised mentation designed to bargain crypto. That portion of the onslaught isn't afloat moving yet, but the functionality is already successful place.

To support access, the malware sets itself up to tally automatically aft a reboot. It tin besides let distant entree to your strategy and way net postulation done your Mac without you realizing it, turning your instrumentality into a quiescent relay for idiosyncratic else.

Some of the malicious extensions showed tens of thousands of downloads. Those numbers tin beryllium manipulated, but they inactive make a mendacious consciousness of spot that makes radical much apt to instal them.

7 steps you tin instrumentality to enactment harmless from malicious Mac extensions

Malicious extensions don't look dangerous. That's what makes them effective. These steps tin assistance you trim the risk, adjacent erstwhile threats gaffe into trusted marketplaces.

1) Only instal extensions you really need

Every hold you instal increases risk. If you're not actively utilizing one, region it. Be particularly cautious of extensions that committedness large productivity gains, premium features for escaped oregon imitate fashionable tools with somewhat altered names.

2) Verify the steadfast earlier installing anything

Check who made the extension. Established developers usually person a wide website, documentation and update history. New publishers, vague descriptions oregon cloned names should rise reddish flags.

These malicious extensions looked similar adjuvant tools but softly ran hidden codification erstwhile installed. (Cyberguy.com)

3) Use a password manager

A password manager keeps your logins encrypted and stored safely extracurricular your browser oregon editor. It besides ensures each relationship has a unsocial password, truthful if 1 acceptable of credentials is stolen, attackers can't reuse it elsewhere.

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2026 astatine Cyberguy.com.

HOW HACKERS ARE BREAKING INTO APPLE DEVICES THROUGH AIRPLAY

4) Run beardown antivirus bundle connected your Mac

Modern macOS malware doesn't ever driblet evident files. Antivirus tools contiguous absorption connected behavior, looking for suspicious inheritance activity, encrypted payloads and persistence mechanisms utilized by malicious extensions. This adds a captious information nett erstwhile thing slips done authoritative marketplaces.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the best 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

5) Consider a idiosyncratic information removal service

When your information leaks, it often spreads crossed information broker sites and breaches databases. Personal information removal services assistance trim however overmuch of your accusation is publically available, making it harder for attackers to people you with follow-up scams oregon relationship takeovers.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my top picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

6) Turn connected two-factor authentication (2FA)

Enable 2FA wherever possible, particularly for email, unreality services, developer platforms and crypto-related accounts. Even if a password is stolen, 2FA tin halt attackers from logging in.

7) Keep macOS and your apps afloat updated

Security updates adjacent gaps that malware relies on. Turn connected automatic updates truthful you're protected adjacent if you miss the headlines oregon hide to cheque manually.

Mac users often spot authoritative app stores, but that spot is precisely what attackers are counting on. (Kurt "CyberGuy" Knutsson)

Kurt's cardinal takeaway

GlassWorm shows that malware doesn't ever travel from shady downloads oregon evident scams. Sometimes it hides wrong tools you already trust. Even authoritative hold stores tin big malicious bundle agelong capable to origin existent harm. If you usage a Mac and trust connected extensions, a speedy reappraisal of what's installed could prevention you from losing passwords, crypto oregon entree to important accounts.

When was the past clip you checked the extensions moving connected your Mac? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.