GlassWorm Wave 3: 433 Packages Compromised, Your Code Review Won't Save You

CybrPulse

CybrPulse

3 min read
GlassWorm Wave 3: 433 Packages Compromised, Your Code Review Won't Save You

If you install Python packages from GitHub, run CI/CD pipelines that pull from open-source repositories, or use VS Code or Cursor — read this now.

GlassWorm is back for a third wave, and the scope has expanded significantly. Researchers confirmed today that the same threat actor has compromised 433 components spanning GitHub repositories, npm packages, VS Code extensions, and OpenVSX. A connected campaign, dubbed ForceMemo, is actively backdooring Python repositories by hijacking developer GitHub accounts using stolen credentials.

The Solana blockchain wallet `BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC` links both campaigns to the same actor — 50 memo-bearing transactions have updated payload URLs between November 2025 and March 13, 2026.

The Invisible Payload

Here's what makes this campaign different: the malicious code doesn't look like malicious code.

GlassWorm hides payloads inside invisible Unicode variation selectors — specifically characters in the ranges U+FE00 to U+FE0F and U+E0100 to U+E01EF. These characters render as blank space in every mainstream editor, terminal, and code review interface. GitHub's diff view shows nothing. Your eyeballs show nothing. The code runs anyway.

This isn't a minor evasion trick. It fundamentally breaks code review as a security control. If a human reviewer can't see the malicious content and most static analysis tools don't flag Unicode steganography, the compromise sails through your entire review pipeline undetected.

How ForceMemo Chains In

The credential theft starts with malicious VS Code and Cursor extensions. These harvest stored GitHub tokens — from credential helpers, `~/.git-credentials`, or `GITHUB_TOKEN` environment variables — and exfiltrate them to the attacker's infrastructure.

Once GlassWorm has a developer's GitHub token, ForceMemo takes over. The attacker force-pushes commits that rewrite repository history while preserving the original commit metadata: same author name, same date, same commit message. In GitHub's standard web UI, everything looks normal. The legitimate commit is still there in the log. What changed is the content — obfuscated Python stubs injected into `setup.py`, `main.py`, or `app.py`, which execute on `pip install` or at runtime.

Three confirmed compromised repositories as of this writing:

  • `amirasaran/django-restful-admin`
  • `amirasaran/request_validator`
  • `BierOne/relation-vqa`

But searching GitHub's code search for the marker variable `lzcdrtfxyqiplpd` returns hundreds of hits. This is active and widespread.

The C2 Infrastructure

The attacker's command-and-control setup is built to survive takedowns. Primary channel: Solana blockchain transactions. The malware polls the shared wallet's memo history every 5 seconds to retrieve updated payload URLs — nine RPC endpoints spread across providers for resilience. Secondary fallback: Google Calendar. Both are legitimate services your network monitoring treats as benign traffic.

When triggered, the payload downloads Node.js v22.9.0 and fetches an AES-encrypted JavaScript second stage. The decryption keys arrive in HTTP headers. Russian-language comments are present in the injected code, and execution is skipped on Russia-geolocated systems — a pattern consistent with Eastern European cybercrime tooling.

Final payload targets: browser extensions, cookies, SSH keys, and cryptocurrency wallet data.

LLM-Assisted Injection at Scale

The attacker isn't manually crafting each injection. Evidence points to LLM-generated commits used to automate and disguise malicious changes across diverse codebases. The campaign produced 151+ unique code changes — a volume that would be operationally infeasible without automation. Django apps, ML research repositories, Flask APIs, Streamlit dashboards, PyPI packages — the breadth of targets reflects automated tooling, not manual curation.

What to Do Right Now

Search your codebase. The variable name `lzcdrtfxyqiplpd` is present in every compromised file. Run it against your internal repositories and audit your CI/CD dependency cache. GitHub's code search surfaces it if you're pulling from external repos.

Check for artifacts. GlassWorm drops `~/init.json` and installs Node.js binaries in home directories. Audit developer machines and build agents for both.

Review your CI/CD pipeline. Any pipeline that executes `pip install` from GitHub source — especially from default branches without commit hash pinning — is exposed. Pin to specific SHAs. Verify commit integrity against known-good states, and flag any commits where the author and committer dates show large gaps, or where the committer name is literally set to `null`.

Add Unicode detection. Add pre-commit hooks or CI linting rules that reject files containing characters in the U+FE00–U+FE0F and U+E0100–U+E01EF ranges. These ranges have no legitimate use in source code.

Rotate developer credentials. Every GitHub token stored in VS Code, Cursor, or credential helpers should be treated as potentially compromised. Rotate now, enforce hardware-backed MFA on all accounts with repository write access.

Monitor egress from build agents. Connections to Solana RPC endpoints or high-frequency polling (5-second intervals) to blockchain infrastructure from CI/CD systems are a strong signal of infection. Tools like StepSecurity's Harden-Runner can help surface this.

The campaign has been active since at least November 27, 2025. The actor has survived multiple takedown attempts and grown with each resurgence. This isn't a one-off — it's an ongoing operation targeting the development toolchain systematically.

If your security posture depends on "someone would have noticed a bad commit," GlassWorm has already demonstrated that doesn't work here.

*CybrPulse ingests and analyzes thousands of security feeds daily. This post is based on threat intelligence published March 18, 2026 by ThreatRoad and GBHackers.*

Read more