GlassWorm: The Malware Using Solana's Own Blockchain as a Command-and-Control Channel
SolGuard SecurityGlassWorm is a sophisticated malware campaign first identified by The Hacker News on March 25, 2026. Unlike most crypto malware, it uses the Solana blockchain itself as a command-and-control (C2) channel — encoding attacker commands into on-chain memo fields to evade detection.
How GlassWorm Uses Solana as a C2 Dead Drop
Traditional C2 servers are easy to block. When a malware operator’s server gets taken down, infected machines go dark. GlassWorm’s authors solved this by hiding in plain sight: they broadcast commands by sending small SOL transactions to wallet addresses with memo instructions encoded in the memo program field.
Infected machines poll specific Solana wallet addresses for new transactions. When a new memo appears, the malware parses the encoded instruction. Since Solana transactions are permissionless and public, there’s no C2 server to block — the blockchain itself is the command channel.
What GlassWorm Actually Does
Once installed — primarily via malicious npm packages, PyPI modules, and poisoned GitHub repos — GlassWorm deploys a full remote access trojan (RAT) plus a malicious Chrome extension disguised as Google Docs. The payload:
- Logs all keystrokes and captures screenshots
- Steals browser cookies, saved passwords, and session tokens
- Detects Ledger and Trezor hardware wallet USB connections
- Displays persistent phishing overlays that mimic Ledger Live / Trezor Suite to steal 24-word seed phrases
- Has expanded into the MCP ecosystem via fake WaterCrawl MCP server packages
Why This Matters for Solana Users Right Now
The Drift Protocol $285M exploit on April 1 involved durable nonce pre-signed transactions and social engineering — techniques requiring the attacker to either control keys directly or manipulate signers. GlassWorm is the supply chain attack that steals those keys in the first place.
If you installed any Solana-related npm packages or PyPI modules in the last 90 days, you may have been exposed. Known malicious packages include fake versions of @solana/web3.js, solana-py, and several wallet utility libraries.
Detecting GlassWorm with On-Chain Monitoring
GlassWorm’s use of Solana memo fields as a C2 channel creates a detectable signal. Legitimate applications that use the Memo program typically send structured, human-readable memos (swap routing info, protocol notes). GlassWorm memos are encoded binary blobs — short, high-entropy strings that look like garbled text or base64.
Monitoring patterns to watch:
- Wallet addresses receiving unusually frequent micro-transactions (< 0.001 SOL) with memo fields
- High-entropy memo content (entropy > 4.5 bits per character suggests encoded data)
- Fan-out patterns: one sender broadcasting to hundreds of addresses with identical memo structure
- Transaction timing: GlassWorm polling typically fires at regular intervals (every 60-180 seconds)
What to Do If You’re Concerned
1. Assume compromise if you installed any unverified Solana tooling in the last 90 days. Rotate all keys.
2. If you use a hardware wallet, do not type your seed phrase into ANY software, even if the prompt looks like your Ledger/Trezor app. GlassWorm specifically intercepts this moment.
3. Audit your npm/PyPI dependencies. Run: npm audit and check for packages with low download counts that have high permissions.
4. Watch your wallet addresses for unexpected memo transactions. Tools like SolGuard (t.me/SolGuard_Bot) monitor real-time account changes across Solana and can alert on anomalous memo activity.
The Bigger Picture: Q1 2026 Solana Security
Drift ($285M), GlassWorm supply chain attacks, Step Finance key compromise ($40M), and now a breaking quantum-threat analysis from Project Eleven and the Solana Foundation — April 2026 is the worst month for Solana security since the Wormhole hack in 2022.
The common thread: attackers are targeting keys and signers, not smart contract logic. The best defense is monitoring what’s happening on-chain in real time and detecting anomalous patterns before they become exploits.
This is part of our ongoing Drift/Solana Security Analysis Series: