GlassWorm malware hits 400 code repos on GitHub, NPM, VSCode, OpenVSX

bleepingcomputer.com · djinn · 7 days ago · view on HN · authentication
0 net
Tags
account-takeover apple malware microsoft node supply-chain web3
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX Home News Security GlassWorm malware hits 400 code repos on GitHub, npm, VSCode, OpenVSX GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX By Bill Toulas March 17, 2026 05:42 PM 0 The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. Researchers at Aikido , Socket , Step Security , and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm. Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source repositories is provided by the use of the same Solana blockchain address used for command-and-control (C2) activity, identical or functionally similar payloads, and shared infrastructure. GlassWorm was first observed last October , with attackers using “invisible” Unicode characters to hide malicious code that harvested cryptocurrency wallet data and developer credentials. The campaign continued with multiple waves and expanded to Microsoft's official Visual Studio Code marketplace and the OpenVSX registry used by unsupported IDEs, as discovered by Secure Annex's researcher, John Tuckner. macOS systems were also targeted, introducing trojanized clients for Trezor and Ledger, and later targeted developers via compromised OpenVSX extensions . The latest GlassWorm attack wave is far more extensive, though, and spread to: 200 GitHub Python repositories 151 GitHub JS/TS repositories 72 VSCode/OpenVSX extensions 10 npm packages Initial compromise occurs on GitHub, where accounts are compromised to force-push malicious commits. Then, malicious packages and extensions are published on npm and VSCode/OpenVSX, featuring obfuscated code (invisible Unicode characters) to evade detection. Malicious package on OpenVSX Source: Aikido Across all platforms, the Solana blockchain is queried every five seconds for new instructions. According to Step Security, between November 27, 2025, and March 13, 2026, there were 50 new transactions, mostly to update the payload URL. The instructions were embedded as memos in the transactions and led to downloading the Node.js runtime and executing a JavaScript-based information stealer. GlassWorm attack chain Source: Step Security The malware targets cryptocurrency wallet data, credentials, and access tokens, SSH keys, and developer environment data. Analysis of code comments indicates that GlassWorm is orchestrated by Russia-speaking threat actors. Additionally, the malware skips execution if the Russian locale is found on the system. However, this is insufficient data for confident attribution. Step Security advises developers who install Python packages directly from GitHub or run cloned repositories to check for signs of compromise by searching their codebase for the marker variable “lzcdrtfxyqiplpd,” an indicator of the GlassWorm malware. Malicious GitHub files Source: Step Security They also recommend inspecting systems for the presence of the ~/init.json file, which is used for persistence, as well as unexpected Node.js installations in the home directory (e.g., ~/node-v22*). Additionally, developers should look for suspicious i.js files in recently cloned projects and review Git commit histories for anomalies, such as commits where the committer date is significantly newer than the original author date. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: New PhantomRaven NPM attack wave steals dev data via 88 packages New GlassWorm attack targets macOS via compromised OpenVSX extensions AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code Bing AI promoted fake OpenClaw GitHub repo pushing info-stealing malware Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies GitHub GlassWorm Information Stealer npm Open VSX Supply Chain Supply Chain Attack VSCode Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories CISA urges US orgs to secure Microsoft Intune systems after Stryker breach Max severity Ubiquiti UniFi flaw may allow account takeover Microsoft: Enabling Teams Meeting add-in breaks Outlook Classic Sponsor Posts Overdue a password health-check? Audit your Active Directory for free Cut VMware migration time by 60% with Acronis—move workloads faster, with less downtime. Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast. Are refund fraud methods targeting your brand? You can monitor the underground for these threats. Uncover shadow AI apps, users, and risky data sharing. Get started in 5 min. Secure your AI agents without sacrificing speed. Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories