Malicious Mac Extensions Steal Passwords and Crypto Wallets

NEWNow you can listen to News articles!

Mac users often assume they are safer than others, especially when they stick to official app stores and trusted tools.

That feeling of security is exactly what attackers like to exploit. Security researchers have discovered a new wave of malicious Mac extensions that not only spy on you, but can also steal cryptocurrency wallet data, passwords, and even keychain credentials. What makes this campaign especially concerning is where the malware was found, within legitimate extension marketplaces that many people trust by default.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Once active, GlassWorm targets passwords, crypto wallets, and even your macOS keychain without obvious warning signs. (Cyberguy.com)

How malicious Mac extensions sneaked into trusted stores

Security researchers at Koi Security discovered a new wave of GlassWorm malware hidden inside extensions for code editors like Visual Studio Code (via Bleeping Computer). If you’re not familiar with code editors, they are tools that developers use to write and edit code, similar to how you might use Google Docs or Microsoft Word to edit text. These malicious extensions appeared on both the Microsoft Visual Studio Marketplace and OpenVSX, platforms widely used by developers and advanced users.

FALSE AI CHAT RESULTS ARE SPREADING DANGEROUS MAC MALWARE

At first glance, the extensions seemed harmless. They promised popular features like code formatting, themes, or productivity tools. However, once installed, they silently executed malicious code in the background. Previous versions of GlassWorm relied on hidden text tricks to remain invisible. The latest wave goes further by encrypting its malicious code and delaying its execution, making it difficult for automated security checks to detect.

Although this campaign is described as targeting developers, you do not need to write code to be at risk. If you use a Mac, install extensions, or store passwords or cryptocurrencies on your system, this threat still applies to you.

What GlassWorm does once it’s on your Mac

Once active, GlassWorm searches for some of the most sensitive data on your device. It tries to steal login credentials linked to platforms like GitHub and npm, but it doesn’t stop there. The malware also targets browser-based cryptocurrency wallets and is now trying to access your macOS keychain, where many saved passwords are stored.

The researchers also discovered that GlassWorm checks whether hardware wallet applications such as Ledger Live or Trezor Suite are installed. If so, the malware attempts to replace them with a compromised version designed to steal cryptocurrency. That part of the attack is not fully working yet, but the functionality is already implemented.

To maintain access, the malware is configured to run automatically after reboot. It can also allow remote access to your system and route Internet traffic through your Mac without you realizing it, turning your device into a silent relay for someone else.

Some of the malicious extensions showed tens of thousands of downloads. Those numbers can be manipulated, but they still create a false sense of trust that makes people more likely to install them.

7 steps you can take to stay safe from malicious Mac extensions

Malicious extensions do not seem dangerous. That’s what makes them effective. These steps can help you reduce risk, even when threats reach trusted markets.

1) Install only the extensions you really need

Every extension you install increases the risk. If you’re not actively using one, delete it. Be especially wary of extensions that promise big productivity gains, free premium features, or that imitate popular tools with slightly modified names.

2) Check the editor before installing anything.

Check who made the extension. Established developers usually have a clear website, documentation, and update history. New editors, vague descriptions, or cloned names should raise red flags.

These malicious extensions looked like useful tools, but they silently executed hidden code once installed. (Cyberguy.com)

3) Use a password manager

A password manager keeps your logins encrypted and stored securely outside of your browser or editor. It also ensures that each account has a unique password, so that if one set of credentials is stolen, attackers can’t reuse it elsewhere.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert reviews Password managers of 2026 in Cyberguy.com.

HOW HACKERS ARE GETTING INTO APPLE DEVICES THROUGH AIRPLAY

4) Run powerful antivirus software on your Mac

Modern macOS malware doesn’t always delete obvious files. Current antivirus tools focus on behavior, looking for suspicious background activities, encrypted payloads, and persistence mechanisms used by malicious extensions. This adds a crucial safety net when something slips into the official markets.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the Best Antivirus Protection Winners of 2026 for your Windows, Mac, Android and iOS devices at Cyberguy.com.

5) Consider a personal data deletion service

When your data is leaked, it often spreads through data broker sites and breaches databases. Personal data deletion services help reduce the amount of your information publicly available, making it harder for attackers to target you with tracking scams or account takeovers.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

look at me best options for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

6) Activate two-factor authentication (2FA)

Enable 2FA whenever possible, especially for email, cloud services, developer platforms, and cryptocurrency-related accounts. Even if a password is stolen, 2FA can prevent attackers from logging in.

7) Keep macOS and your apps fully up to date

Security updates close loopholes that malware depends on. Turn on automatic updates to stay protected even if you miss headlines or forget to check manually.

Mac users often trust official app stores, but that trust is exactly what attackers count on. (Kurt “CyberGuy” Knutsson)

Kurt’s Key Takeaway

GlassWorm shows that malware doesn’t always come from shady downloads or obvious scams. Sometimes it hides inside tools you already trust. Even official extension stores can host malicious software long enough to cause real damage. If you use a Mac and rely on extensions, a quick check of what’s installed could prevent you from losing passwords, cryptocurrency, or access to important accounts.

When was the last time you checked the extensions running on your Mac? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Doctors reveal what reasonable alcohol consumption looks like and who should avoid it

State Department lists major sporting events besides World Cup, Olympics exempt from Trump visa ban

SMU’s Boopie Miller sinks half-court buzzer to upset Virginia Tech

California college athletics organization faces investigation over transgender policy

Female Sports Activist Responds to Keith Olbermann’s Personal Attack After SCOTUS Trans Athlete Hearing

NCAA president responds to integrity concerns after alleged point-reduction scheme led to dozens of arrests

Early Peanut Exposure in Babies Linked to Sharp Drop in Food Allergy Diagnoses

Oprah Reveals Her Struggle With ‘Shame’ Of Weight Loss Medications And What Happened When She Quit Them

The Democrat calls her opponent

Democrats Unveil Three Articles of Impeachment Against Kristi Noem