logo

GlassWorm Invades GitHub, NPM, VS Code, and Python

ID: 35e4cd26-04ba-5360-9006-6dc1128c1f29

STIX ID: report--35e4cd26-04ba-5360-9006-6dc1128c1f29

Feed Name: OpenSourceMalware Blog

Threat Score
88/100

Date Published: 2026-03-16

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

GlassWorm is a coordinated, cross-ecosystem supply-chain campaign that compromised 433+ GitHub repositories, npm packages, VSCode/Open-VSX extensions, and Python projects by using ecosystem-specific obfuscation (invisible Unicode in JS, base64→zlib→XOR in Python) to deliver a common Node.js-based infostealer; operators use a Solana blockchain address for immutable C2 and host payloads on shared infrastructure (multiple IPs), with active exploitation confirmed and indicators (Solana address, IPs, code fingerprints, persistence artifacts) published by multiple vendors.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.