EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

MacOS infostealers: OpenVSX extension compromise and broader platform abuse trends

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-02-02 21:04 UTCUpdated 2026-02-02 22:04 UTC
rss
malwareinfostealermacossupply_chaindeveloper_toolscredential_theft
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
Infostealers without borders: macOS, Python stealers, and platform abuse
Microsoft Security Blog · News · microsoft.com · 2026-02-02 21:04 UTC
limited source diversity in top sources
View all evidence
Overview

Two reports published the same day point to accelerating credential-theft risk on macOS: a named GlassWorm operation leveraging compromised OpenVSX extensions to steal passwords and developer secrets, alongside Microsoft’s broader warning that infostealers are expanding beyond Windows via macOS-focused lures, cross-platform Python tooling, and abuse of trusted platforms and utilities for stealthy delivery at scale.

Entities
MicrosoftMicrosoft Defender ExpertsOpenVSXGlassWormDigitStealerMacSyncAtomic macOS Stealer (AMOS)Eternidade Stealer
Score total
0.96
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • A new GlassWorm macOS campaign is reported using compromised OpenVSX extensions.
  • Microsoft reports ongoing macOS and Python-based infostealer activity observed since late 2025.
  • Attackers are actively abusing common utilities and platforms to deliver stealers at scale.
Why it matters
  • Compromised extensions can expose developer credentials/configs and enable wider downstream access.
  • macOS is increasingly targeted for credential/session theft, not just Windows.
  • Cross-platform tooling and trusted-platform abuse can scale delivery while reducing detection.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Infostealer campaigns are increasingly targeting macOS, using social engineering and stealthy execution to harvest credentials and secrets.
  • Attackers are abusing trusted platforms/utilities and developer ecosystems to distribute credential-stealing malware.
How sources frame it
  • BleepingComputer: neutral
  • Microsoft Security Blog: neutral
Two-source cluster: a specific macOS supply-chain style malware delivery via OpenVSX extensions, plus a broader Microsoft advisory on macOS and cross-platform infostealers.
All evidence
All evidence
New GlassWorm attack targets macOS via compromised OpenVSX extensions
BleepingComputer · bleepingcomputer.com · 2026-02-02 22:04 UTC
Infostealers without borders: macOS, Python stealers, and platform abuse
Microsoft Security Blog · microsoft.com · 2026-02-02 21:04 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • BleepingComputer (1)
  • Microsoft Security Blog (1)
Top origin domains (this list)
  • bleepingcomputer.com (1)
  • microsoft.com (1)