GlassWorm

GlassWorm is an ongoing software supply-chain threat actor/campaign targeting software developers and developer ecosystems since at least early 2025. It has operated across GitHub, npm, Python packages, Microsoft Visual Studio Marketplace, and Open VSX, using malicious or trojanized packages, compromised repositories, and malicious IDE extensions to steal developer credentials, tokens, secrets, cryptocurrency wallet data, and to gain broader supply-chain access. Reporting also describes infected systems being abused as SOCKS proxies, hidden VNC servers, and remote execution nodes. Observed GlassWorm tradecraft includes malicious VS Code/OpenVSX extensions, poisoned npm and Python packages, compromised GitHub repositories, force-pushed malicious commits, and hidden payloads embedded with invisible Unicode characters. Later activity included sleeper and impersonation extensions, abuse of extensionPack and extensionDependencies for transitive delivery, and a counterfeit WakaTime extension that deployed a Zig-compiled dropper outside the JavaScript sandbox and propagated across compatible IDEs including VS Code, Cursor, Windsurf, VSCodium, and Positron. GlassWorm has also been linked to fake browser extensions, including a malicious Chrome extension used for persistence and theft. Its malware and infrastructure are described as resilient and multi-stage. Reported command-and-control mechanisms include Solana blockchain transaction memo fields, the BitTorrent DHT network, Google Calendar event titles, and VPS-hosted servers. Reported malware capabilities include credential theft from npm, GitHub, and Git; theft of browser data and cryptocurrency wallet data; arbitrary code execution; keylogging, clipboard monitoring, screenshot capture, and persistence. The malware has been referred to as GlasswormRAT in reporting. GlassWorm has been associated with large-scale compromises, including more than 300 poisoned GitHub repositories in some reporting, at least 151 compromised GitHub repositories in March 2026, and broader waves affecting hundreds of repositories, packages, and extensions. A named offshoot/sub-campaign, ForceMemo, used stolen GitHub tokens to force-push malicious code into Python repositories while preserving original commit metadata. Multiple reports assess GlassWorm as likely operated by Russian-speaking threat actors, citing Russian-language comments and malware logic that avoids execution on systems in Russia or CIS countries. This attribution is reported as an assessment rather than confirmed fact. Known alias/sub-campaign directly mentioned in the content: ForceMemo.