GlassWorm Is Eating the Developer Ecosystem

CybrPulse

CybrPulse

3 min read
GlassWorm Is Eating the Developer Ecosystem

Supply chain attacks aren't new. But GlassWorm is something different — a campaign that has spent months quietly expanding its footprint across every layer of the developer toolchain, and it's still active right now.

Here's where things stand as of March 17, 2026.

Three Attack Vectors. One Threat Actor.

GlassWorm started with malicious VS Code extensions. That was back in October 2025. Since then, the same infrastructure — identifiable by a Solana blockchain wallet used as a command-and-control relay — has branched into three distinct delivery mechanisms running simultaneously.

VS Code / Open VSX extensions. As of March 16, researchers have confirmed 72 malicious extensions in the Open VSX registry. The latest iteration doesn't even embed malware directly. Instead, it abuses the extension dependency system — publish a clean-looking extension that pulls in a malicious payload through its extensionPack or extensionDependencies. Individual packages scan as safe. The malware rides in through the relationships between them.

GitHub repository injection (ForceMemo). The campaign's second vector starts with credential theft. Malicious VS Code extensions harvest GitHub tokens. Attackers then use those tokens to force-push obfuscated payloads into Python repositories — Django projects, ML research repos, Streamlit apps, PyPI packages. The force-push rewrites history while preserving the original commit messages, authors, and timestamps. There's no pull request. Nothing surfaces in the GitHub UI. CybrPulse feeds tracked the earliest injections to March 8, 2026, but the Solana C2 wallet shows activity going back to November 27, 2025 — 50 recorded transactions over three months of pre-positioning.

npm supply chain. The third vector hit on March 16. Two React Native packages — `react-native-country-select` and `react-native-international-phone-number` — were poisoned with credential-stealing payloads. Combined, they had roughly 134,887 monthly downloads. The attack used a preinstall hook, so malware deployed the moment a developer ran `npm install`. No other action required.

What the Malware Actually Does

The payload is consistent across vectors: it's after developer credentials and cryptocurrency.

GitHub tokens. npm tokens. Browser cookies and saved passwords. Cryptocurrency wallets — particularly anything in browser extensions. CI/CD pipeline secrets that happen to be sitting on developer workstations.

The C2 infrastructure is unusually clever. The main channel uses the memo field in Solana blockchain transactions to deliver payload URLs. Blockchain is public, permanent, and not easily blocked. The React Native npm variant also used Google Calendar event links as a secondary relay — two cloud services most organizations whitelist entirely.

Exfiltration sends data to attacker-controlled infrastructure. The Solana wallet has been updated multiple times per day during active phases, letting the operator rotate payload URLs without changing anything about the malware itself.

One behavioral tell: the malware skips execution if the system locale is Russian. Attribution technique consistent with a Russian-speaking operator who wants to avoid domestic visibility.

Why This Is Harder to Catch Than It Looks

CybrPulse feeds show detection engines frequently miss GlassWorm's npm packages. Non-deterministic obfuscation produces unique per-tarball hashes, so hash-based signatures don't catch updated versions. The VS Code dependency abuse passes extension marketplaces reviews because each individual piece looks legitimate.

The GitHub injection vector is particularly dangerous for teams that rely on signed commits or commit history reviews — the force-push preserves all the metadata that normally signals trust.

Aikido Security has separately linked the same Solana wallet to a campaign that compromised over 151 GitHub repositories using invisible Unicode character obfuscation — a technique that makes malicious code invisible in web-based diffs.

What to Do Right Now

Audit installed VS Code and Open VSX extensions. Check dependencies, not just the extensions themselves. If you don't recognize it, pull it. The campaign impersonates ESLint, Prettier, and AI coding assistants — look for near-miss names.

Rotate GitHub and npm tokens. Especially for anyone who's installed VS Code extensions in the last six months. If a token was ever on a machine with a malicious extension installed, treat it as compromised.

Review recent commits in critical repos. Specifically look for force-push events in git log. If branch history looks like it was rewritten and you can't account for it, dig deeper.

Block or alert on preinstall hooks in npm. Most legitimate packages don't use them. `npm install --ignore-scripts` is a blunt instrument but it stops this specific vector cold during incident response.

Check CI/CD pipeline environments. Developer workstations that ran compromised npm packages or had infected extensions installed may have leaked secrets into CI environments. Pipeline tokens and secrets should be rotated as a precaution.

The campaign has been running since at least October 2025 and shows no signs of slowing. Three distinct attack vectors, all feeding the same infrastructure. If your team uses any of the affected ecosystems — VS Code, Python, React Native — this isn't theoretical.

*CybrPulse tracks security news feeds continuously. Data referenced in this post reflects our analysis as of March 17, 2026.*

Read more