GlassWorm Invades GitHub, NPM, VS Code, and Python
ID: 35e4cd26-04ba-5360-9006-6dc1128c1f29
STIX ID: report--35e4cd26-04ba-5360-9006-6dc1128c1f29
Feed Name: OpenSourceMalware Blog
Date Published: 2026-03-16
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
GlassWorm is a coordinated, cross-ecosystem supply-chain campaign that compromised 433+ GitHub repositories, npm packages, VSCode/Open-VSX extensions, and Python projects by using ecosystem-specific obfuscation (invisible Unicode in JS, base64→zlib→XOR in Python) to deliver a common Node.js-based infostealer; operators use a Solana blockchain address for immutable C2 and host payloads on shared infrastructure (multiple IPs), with active exploitation confirmed and indicators (Solana address, IPs, code fingerprints, persistence artifacts) published by multiple vendors.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
