GlassWorm Supply Chain Attacks Through Compromised Developer and Package Publisher Accounts
GlassWorm is driving active software supply chain compromises by abusing stolen credentials to insert malware into widely used open-source code and package ecosystems. One campaign, dubbed ForceMemo, used GitHub tokens stolen from developer machines via malicious VS Code and Cursor extensions to force-push obfuscated payloads into hundreds of Python repositories, including Django apps, ML projects, Streamlit dashboards, and PyPI-linked codebases. The injected code was appended to files such as setup.py, main.py, and app.py, preserved original commit metadata to reduce suspicion, skipped execution on systems using a Russian locale, and retrieved follow-on payload locations through the memo field of a Solana wallet previously associated with GlassWorm.
A separate but related supply chain intrusion hit npm on March 16, when two React Native packages from the same publisher — react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8 — were backdoored with identical preinstall malware. Installing either package triggered a multi-stage Windows-focused credential and cryptocurrency stealer capable of persistence and additional payload delivery, exposing developers, CI runners, and build agents to compromise through routine dependency installation. A third report on malicious npm packages posing as a Roblox Solara executor describes a different campaign, Cipher stealer, targeting Discord, browsers, and crypto wallets, and does not appear tied to GlassWorm or the compromised React Native packages.
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Glassworm Supply-Chain Attack Hides Malicious Code in Invisible Unicode
Researchers reported a **software supply-chain campaign** attributed to **Glassworm** that hid malicious JavaScript inside **invisible Unicode characters** embedded in GitHub repositories, with the activity also spreading to **npm** and the **VS Code Marketplace**. Aikido Security identified at least **151 compromised GitHub repositories**, with infections observed between **March 3 and March 9**, and warned the visible set was likely incomplete because some repositories had already been removed. The technique abuses Unicode Private/Variation Selector ranges such as `0xFE00-0xFE0F` and `0xE0100-0xE01EF`, causing malicious content to appear as blank space to human reviewers and many code-inspection workflows. The hidden payload is decoded at runtime and executed through `eval()`, allowing attackers to conceal a full second-stage loader inside apparently empty strings. Reporting on the campaign says prior **Glassworm** activity used the decoded script to retrieve follow-on malware via the **Solana blockchain** as a command-and-control channel, enabling theft of **tokens, credentials, and secrets**. The attack is notable because the Unicode characters are effectively invisible in editors and terminals, undermining manual review and some static analysis, and because it targeted trusted developer distribution channels rather than end users directly.
2 days ago
GlassWorm Supply-Chain Campaign Abuses Open VSX Extension Dependencies
**GlassWorm** expanded its software supply-chain campaign in the Open VSX ecosystem by publishing dozens of seemingly benign extensions that later pull in malicious components through the `extensionPack` and `extensionDependencies` manifest fields. Socket reported **73 malicious Open VSX extensions** linked to the operation, while another report cited **72** newly identified packages, reflecting the same campaign and detection set. The technique allows attackers to establish trust with an initial standalone-looking extension and then, in a later update, silently install a hidden GlassWorm loader as a transitive dependency, defeating one-time review of the original package. The malicious listings impersonate common developer tools including formatters, linters, language support packages, and AI coding assistants to maximize installation volume. The campaign preserves earlier **GlassWorm** tradecraft while improving evasion and resilience. Reported behaviors include staged JavaScript execution, **Russian locale/timezone geofencing**, use of **Solana transaction memos** as dead drops, and in-memory execution of follow-on code. Socket also observed infrastructure and loader changes, including reuse of `45[.]32[.]150[.]251`, addition of `45[.]32[.]151[.]157` and `70[.]34[.]242[.]255`, migration to a new Solana wallet, and a shift from a static AES-wrapped loader to heavier **RC4/base64/string-array obfuscation** with decryption material moved into HTTP response headers such as `ivbase64` and `secretkey`. This is a substantive threat-intelligence and vulnerability-exposure story, not fluff, because it documents an active malicious campaign, specific delivery mechanisms, and concrete infrastructure tied to developer-targeted compromise.
Today
GitHub Repository Hijacks Used to Distribute Malware to Developers
Researchers reported active **software supply chain attacks** in which legitimate GitHub accounts and repositories were compromised and then used to distribute malware to developers. In one case, the verified **dev-protocol** GitHub organization was hijacked and repurposed to host polished **Polymarket** trading-bot repositories that secretly pulled typosquatted npm dependencies. Running the project exfiltrated `.env` contents including wallet private keys to attacker-controlled infrastructure, performed host fingerprinting, and modified firewall settings to expose SSH access; victims were advised to rotate wallet and API secrets and inspect `~/.ssh/authorized_keys` for persistence. A separate but related GitHub-focused campaign, dubbed **ForceMemo**, involved takeover of developer accounts and force-pushes to hundreds of Python repositories so that malicious code was appended to files such as `setup.py`, `main.py`, and `app.py` while preserving original commit metadata. Anyone installing directly from those repos could trigger the payload, and the activity affected projects ranging from Django applications to ML and Streamlit code. A report on malicious npm packages posing as a Roblox *Solara* executor was excluded because it describes a different npm ecosystem campaign centered on **Cipher stealer**, not the GitHub account and repository hijacks used in the other incidents.
Yesterday