GlassWorm Evolves: A Cross-Platform Cyber Campaign Targets Mac Developers with Hardware Wallet Trojans

GlassWorm Evolves: A Cross-Platform Cyber Campaign Targets Mac Developers with Hardware Wallet Trojans

Two and a half months ago, we first spotted GlassWorm — a quiet, sneaky piece of malware that slipped into Visual Studio Code extensions by hiding malicious code inside invisible Unicode characters. Back then, it was mostly targeting Windows developers, slipping under the radar like a shadow in a crowded office. But now? That’s all changed.

This week, we’ve confirmed the arrival of Wave 4 — and it’s not just an update. It’s a full-blown shift. GlassWorm has officially moved from Windows to macOS. And this isn’t some random pivot. It’s calculated. It’s strategic. And it’s dangerous.

Here’s the thing: for the first three waves, GlassWorm stayed in the Windows world, where VS Code still rules the enterprise dev scene. But why would a threat actor go after Mac users? Why now?

Because Macs are no longer just for designers or creative types. They’re the go-to for blockchain devs, DeFi engineers, and startup founders building the next big thing in Web3. These are the people who manage private keys, deploy smart contracts, and run wallets on their machines —