GlassWorm Malware Is Using Solana Wallets as C2 — How to Check if Yours Is Affected

GlassWorm Malware Is Using Solana Wallets as C2 — How to Check if Yours Is Affected

SolGuard Security

GlassWorm is a new malware campaign discovered in March/April 2026 that does something Solana users need to understand: it uses Solana blockchain wallet addresses as command-and-control (C2) channels.

In simple terms — attackers are embedding malware commands into Solana transaction memo fields, and infected computers poll those wallet addresses every 10 seconds for new instructions. Your wallet could be involved without you knowing it.

How GlassWorm Uses Solana

Traditional malware phones home to a domain or IP address. Defenders can block those. GlassWorm is smarter: it uses the Solana blockchain as its C2 "dead drop."

Here's the attack flow:

  1. Victim installs malicious npm/PyPI package or VS Code extension (supply chain attack)
  2. Malware gets installed as a Chrome extension disguised as "offline Google Docs"
  3. The malware polls a hardcoded Solana wallet address every 10 seconds via public RPC
  4. Attacker sends transactions to that wallet with encoded commands in the memo field
  5. Malware reads the memo, decodes the command, and executes it

Since Solana transactions are public and permanent, this C2 channel is nearly impossible to shut down. No domain to blacklist, no IP to block.

What This Means for Your Solana Wallet

Two scenarios where YOUR wallet could be involved:

1. Your wallet address is being used as a C2 dead drop by attackers (without your involvement — they just picked your address)

2. You installed malicious software that's now polling a different wallet address for commands

The second scenario steals your credentials, browser cookies, crypto wallets, and session tokens.

How to Check Your Wallet

SolGuard Bot on Telegram has added a free /glassworm scanner that checks any Solana address for C2 usage patterns:

  • Suspicious memo transaction patterns
  • Automated high-frequency transaction behavior
  • Known GlassWorm C2 signatures

To check your wallet: Open @SolGuard_Bot on Telegram and run /glassworm YOUR_WALLET_ADDRESS

Who Is at Risk?

GlassWorm primarily spreads through:

  • Hijacked npm packages (over 151 GitHub repos compromised)
  • Malicious PyPI packages targeting developers
  • Fake VS Code extensions
  • Compromised GitHub Actions

If you are a developer who installed npm or PyPI packages recently and also hold Solana assets — you should run a scan.

Immediate Actions

  1. Check your wallet with /glassworm on @SolGuard_Bot
  2. Audit recently installed npm/pip packages
  3. Check VS Code extensions for anything unfamiliar
  4. Move assets to a hardware wallet if you suspect compromise
  5. Enable real-time monitoring at @SolGuard_Bot

SolGuard is a free Solana security monitor. @SolGuard_Bot on Telegram. No sign-up required.

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org