Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The GlassWorm Malware Supply-Chain Campaign: A Coordinated Attack on Open-Source Repositories



A new supply-chain attack has been identified, targeting hundreds of open-source repositories on GitHub, npm, and VSCode/OpenVSX extensions. The GlassWorm malware campaign, which began in October last year, has compromised 433 components across multiple platforms, according to researchers. The attackers' use of a single threat actor running multiple campaigns is noteworthy, highlighting the sophistication of their strategy. This attack serves as a reminder for developers to stay vigilant and take proactive measures to protect themselves against potential threats.

  • GlassWorm is a malicious supply-chain campaign that has compromised hundreds of open-source repositories across GitHub, npm, and VSCode/OpenVSX extensions.
  • The attackers used a single threat actor running multiple GlassWorm campaigns to exploit vulnerabilities in the supply chain.
  • The attack targeted cryptocurrency wallet data, credentials, developer environment data, and system locale to evade attribution.
  • Developers are advised to inspect for signs of compromise, such as unusual code or file persistence, and conduct regular security audits and monitoring of open-source repositories.



    • GlassWorm, a malicious supply-chain campaign, has been identified as the culprit behind a coordinated attack on hundreds of open-source repositories across GitHub, npm, and VSCode/OpenVSX extensions. The attack, which began in October last year, targeted 433 compromised components this month, according to researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community.

    The campaign's use of a single threat actor running multiple GlassWorm campaigns across multiple open-source repositories is noteworthy. This indicates that the attackers have developed a sophisticated strategy to exploit vulnerabilities in the supply chain, using identical or functionally similar payloads and shared infrastructure.

    GlassWorm was first observed last October, with attackers using "invisible" Unicode characters to hide malicious code that harvested cryptocurrency wallet data and developer credentials. The campaign continued with multiple waves and expanded to Microsoft's official Visual Studio Code marketplace and the OpenVSX registry used by unsupported IDEs, as discovered by Secure Annex's researcher, John Tuckner.

    macOS systems were also targeted, introducing trojanized clients for Trezor and Ledger, and later targeted developers via compromised OpenVSX extensions. The latest GlassWorm attack wave is far more extensive, though, and spread to:

    - 200 GitHub Python repositories
    - 151 GitHub JS/TS repositories
    - 72 VSCode/OpenVSX extensions
    - 10 npm packages

    Initial compromise occurs on GitHub, where accounts are compromised to force-push malicious commits. Then, malicious packages and extensions are published on npm and VSCode/OpenVSX, featuring obfuscated code (invisible Unicode characters) to evade detection.

    Across all platforms, the Solana blockchain is queried every five seconds for new instructions. According to Step Security, between November 27, 2025, and March 13, 2026, there were 50 new transactions, mostly to update the payload URL. The instructions were embedded as memos in the transactions and led to downloading the Node.js runtime and executing a JavaScript-based information stealer.

    The malware targets cryptocurrency wallet data, credentials, and access tokens, SSH keys, and developer environment data. Analysis of code comments indicates that GlassWorm is orchestrated by Russia-speaking threat actors. Additionally, the malware skips execution if the Russian locale is found on the system. However, this is insufficient data for confident attribution.

    Step Security advises developers who install Python packages directly from GitHub or run cloned repositories to check for signs of compromise by searching their codebase for the marker variable "lzcdrtfxyqiplpd," an indicator of the GlassWorm malware. They also recommend inspecting systems for the presence of the ~/init.json file, which is used for persistence, as well as unexpected Node.js installations in the home directory (e.g., ~/node-v22*). Developers should look for suspicious i.js files in recently cloned projects and review Git commit histories for anomalies, such as commits where the committer date is significantly newer than the original author date.

    The attack highlights the importance of regular security audits and monitoring open-source repositories. It also underscores the need for developers to stay vigilant and be aware of potential threats in their codebases. As the threat landscape continues to evolve, it's essential for developers to remain proactive in protecting themselves against supply-chain attacks like GlassWorm.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-GlassWorm-Malware-Supply-Chain-Campaign-A-Coordinated-Attack-on-Open-Source-Repositories-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/

  • https://cybersecsentinel.com/glassworm-self-propagating-malware-compromises-vs-code-extensions/


    • Published: Tue Mar 17 17:49:47 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us