Glassworm Supply-Chain Attack Hides Malicious Code in Invisible Unicode
Researchers reported a software supply-chain campaign attributed to Glassworm that hid malicious JavaScript inside invisible Unicode characters embedded in GitHub repositories, with the activity also spreading to npm and the VS Code Marketplace. Aikido Security identified at least 151 compromised GitHub repositories, with infections observed between March 3 and March 9, and warned the visible set was likely incomplete because some repositories had already been removed. The technique abuses Unicode Private/Variation Selector ranges such as 0xFE00-0xFE0F and 0xE0100-0xE01EF, causing malicious content to appear as blank space to human reviewers and many code-inspection workflows.
The hidden payload is decoded at runtime and executed through eval(), allowing attackers to conceal a full second-stage loader inside apparently empty strings. Reporting on the campaign says prior Glassworm activity used the decoded script to retrieve follow-on malware via the Solana blockchain as a command-and-control channel, enabling theft of tokens, credentials, and secrets. The attack is notable because the Unicode characters are effectively invisible in editors and terminals, undermining manual review and some static analysis, and because it targeted trusted developer distribution channels rather than end users directly.
Related Entities
Organizations
Sources
Related Stories
GlassWorm Supply Chain Attack on Visual Studio Code Extensions
A sophisticated supply chain attack has targeted Visual Studio Code (VS Code) extensions, leveraging a self-propagating worm known as GlassWorm. Security researchers at Koi Security discovered the malware after identifying suspicious behavior in an extension called CodeJoy on the OpenVSX marketplace. The worm employs a novel technique using invisible Unicode characters, making the malicious code undetectable to the human eye within code editors. This approach allows the malware to evade traditional detection methods and remain stealthy within compromised extensions. GlassWorm utilizes the Solana blockchain as its primary command-and-control (C2) channel, with Google Calendar serving as a backup C2 infrastructure, enhancing its resilience and making takedown efforts more challenging. The worm has already infected nearly 36,000 developer machines, indicating a significant impact on the developer ecosystem. Once installed, GlassWorm harvests credentials from NPM, GitHub, and Git, enabling it to propagate further by compromising additional packages and extensions. The malware also targets cryptocurrency wallets, seeking to steal digital assets from affected users. Infected systems are converted into SOCKS proxy servers, effectively turning developer machines into part of the attacker's extended C2 infrastructure. Additionally, GlassWorm installs hidden virtual network computing (VNC) servers, granting attackers full remote access to compromised machines. The attack highlights the growing risks associated with open-source marketplaces and the potential for widespread compromise through popular development tools. Security experts emphasize the importance of scrutinizing extension code and implementing stronger guardrails in extension marketplaces to prevent similar attacks. The use of invisible Unicode and blockchain-based C2 channels represents a significant evolution in malware stealth and persistence. The incident underscores the need for developers and organizations to monitor for unusual extension behavior and to regularly audit installed extensions for signs of compromise. The attack also demonstrates the potential for supply chain threats to rapidly scale, given the interconnected nature of developer tools and platforms. As the investigation continues, security vendors and marketplace operators are working to identify and remove malicious extensions and to strengthen defenses against future supply chain attacks.
4 months ago
GlassWorm Supply Chain Attacks Through Compromised Developer and Package Publisher Accounts
**GlassWorm** is driving active software supply chain compromises by abusing stolen credentials to insert malware into widely used open-source code and package ecosystems. One campaign, dubbed **ForceMemo**, used GitHub tokens stolen from developer machines via malicious VS Code and Cursor extensions to force-push obfuscated payloads into hundreds of Python repositories, including Django apps, ML projects, Streamlit dashboards, and PyPI-linked codebases. The injected code was appended to files such as `setup.py`, `main.py`, and `app.py`, preserved original commit metadata to reduce suspicion, skipped execution on systems using a Russian locale, and retrieved follow-on payload locations through the memo field of a Solana wallet previously associated with GlassWorm. A separate but related supply chain intrusion hit npm on March 16, when two React Native packages from the same publisher — `react-native-country-select@0.3.91` and `react-native-international-phone-number@0.11.8` — were backdoored with identical `preinstall` malware. Installing either package triggered a multi-stage Windows-focused credential and cryptocurrency stealer capable of persistence and additional payload delivery, exposing developers, CI runners, and build agents to compromise through routine dependency installation. A third report on malicious npm packages posing as a Roblox *Solara* executor describes a different campaign, **Cipher stealer**, targeting Discord, browsers, and crypto wallets, and does not appear tied to GlassWorm or the compromised React Native packages.
Today
GlassWorm Supply-Chain Campaign Abuses Open VSX Extension Dependencies
**GlassWorm** expanded its software supply-chain campaign in the Open VSX ecosystem by publishing dozens of seemingly benign extensions that later pull in malicious components through the `extensionPack` and `extensionDependencies` manifest fields. Socket reported **73 malicious Open VSX extensions** linked to the operation, while another report cited **72** newly identified packages, reflecting the same campaign and detection set. The technique allows attackers to establish trust with an initial standalone-looking extension and then, in a later update, silently install a hidden GlassWorm loader as a transitive dependency, defeating one-time review of the original package. The malicious listings impersonate common developer tools including formatters, linters, language support packages, and AI coding assistants to maximize installation volume. The campaign preserves earlier **GlassWorm** tradecraft while improving evasion and resilience. Reported behaviors include staged JavaScript execution, **Russian locale/timezone geofencing**, use of **Solana transaction memos** as dead drops, and in-memory execution of follow-on code. Socket also observed infrastructure and loader changes, including reuse of `45[.]32[.]150[.]251`, addition of `45[.]32[.]151[.]157` and `70[.]34[.]242[.]255`, migration to a new Solana wallet, and a shift from a static AES-wrapped loader to heavier **RC4/base64/string-array obfuscation** with decryption material moved into HTTP response headers such as `ivbase64` and `secretkey`. This is a substantive threat-intelligence and vulnerability-exposure story, not fluff, because it documents an active malicious campaign, specific delivery mechanisms, and concrete infrastructure tied to developer-targeted compromise.
Today