GlassWorm Supply-Chain Campaign Compromising GitHub Repositories and Packages
The GlassWorm campaign is compromising open-source software supply chains by using stolen developer credentials and stealthy code injection techniques to backdoor repositories, packages, and extensions on GitHub, npm, PyPI, and the VS Code Marketplace. Reporting describes attackers inserting obfuscated payloads into legitimate projects, including popular repositories and Python codebases, then hiding the malicious logic with tactics such as invisible Unicode PUA characters, Base64 encoding, and history rewriting that preserves original commit metadata. The malware is designed to steal secrets, credentials, and access tokens, and in some cases retrieves follow-on payload information through Solana transaction memo fields to make exfiltration and command delivery harder to detect.
The campaign appears broad and operationally mature, with one report citing at least 151 compromised GitHub repositories in early March and another describing hundreds of affected Python repositories targeted through force-pushed malicious commits. Attackers reportedly append payloads to files such as setup.py, main.py, and app.py, while earlier access is linked to compromised developer environments, including malicious VS Code and Cursor extensions used to steal GitHub tokens. The activity affects multiple ecosystems and developer workflows, indicating a sustained supply-chain threat rather than isolated repository tampering, with risks extending to downstream users who install or execute code from infected projects.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Aikido Security reveals invisible-Unicode attack technique
Aikido Security disclosed that GlassWorm used invisible Unicode characters from Private Use Areas to conceal malicious JavaScript that executed at runtime, helping attackers hide payloads in code reviews while stealing secrets and credentials.
StepSecurity discloses ForceMemo campaign details
StepSecurity reported an active supply-chain malware campaign dubbed ForceMemo that used GlassWorm malware, often delivered through malicious VS Code and Cursor extensions, to steal GitHub tokens and implant payloads for cryptocurrency and data theft.
Researchers track broad March supply-chain activity
Aikido Security reported that at least 151 GitHub repositories were compromised between March 3 and March 9, 2026, with related activity also affecting npm packages and the VS Code Marketplace through hidden Unicode-based JavaScript payloads.
GlassWorm compromises GitHub repositories
Researchers observed the earliest malicious code injections into Python repositories on GitHub on March 8, 2026, using stolen developer tokens to force-push obfuscated changes into files such as setup.py, main.py, and app.py.
GlassWorm C2 infrastructure becomes active
Infrastructure associated with the GlassWorm campaign was active by November 2025, indicating the operators had established command-and-control capabilities months before the later repository compromises were observed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GlassWorm Supply Chain Attacks Through Compromised Developer and Package Publisher Accounts
**GlassWorm** is driving active software supply chain compromises by abusing stolen credentials to insert malware into widely used open-source code and package ecosystems. One campaign, dubbed **ForceMemo**, used GitHub tokens stolen from developer machines via malicious VS Code and Cursor extensions to force-push obfuscated payloads into hundreds of Python repositories, including Django apps, ML projects, Streamlit dashboards, and PyPI-linked codebases. The injected code was appended to files such as `setup.py`, `main.py`, and `app.py`, preserved original commit metadata to reduce suspicion, skipped execution on systems using a Russian locale, and retrieved follow-on payload locations through the memo field of a Solana wallet previously associated with GlassWorm. A separate but related supply chain intrusion hit npm on March 16, when two React Native packages from the same publisher — `react-native-country-select@0.3.91` and `react-native-international-phone-number@0.11.8` — were backdoored with identical `preinstall` malware. Installing either package triggered a multi-stage Windows-focused credential and cryptocurrency stealer capable of persistence and additional payload delivery, exposing developers, CI runners, and build agents to compromise through routine dependency installation. A third report on malicious npm packages posing as a Roblox *Solara* executor describes a different campaign, **Cipher stealer**, targeting Discord, browsers, and crypto wallets, and does not appear tied to GlassWorm or the compromised React Native packages.
Mar 21, 2026
GlassWorm Supply-Chain Campaign Compromises Open-Source Packages, Repositories, and Extensions
**GlassWorm** conducted a renewed software supply-chain campaign that compromised open-source components across **GitHub, npm, VSCode, and OpenVSX**, with researchers attributing at least **433 malicious repositories, packages, and extensions** to the operation. Reporting from multiple security firms linked the activity through shared infrastructure, similar payloads, and the same **Solana blockchain address** used for command-and-control. The campaign reportedly began with compromised GitHub accounts and force-pushed malicious commits, then expanded into published npm packages and editor extensions containing obfuscated code designed to evade review and steal developer credentials, cryptocurrency wallet data, and other sensitive information. One documented part of the campaign involved the backdooring of the npm packages **`react-native-country-select@0.3.91`** and **`react-native-international-phone-number@0.11.8`**, both published by **AstrOOnauta** and together downloaded more than **134,000** times in the prior month. Aikido found both packages used a new **`preinstall`** hook to execute an obfuscated **`install.js`** loader during a routine `npm install`, allowing infection of developer workstations, CI runners, and build agents without additional user action. Researchers said the loader was byte-identical in both packages, indicating deliberate tampering rather than a build error, and placed the incident within GlassWorm's broader pattern of using stealthy package modifications and cross-platform malware delivery to target the software development ecosystem.
May 11, 2026
GlassWorm Supply-Chain Worm Hits VS Code, OpenVSX, npm, PyPI, and GitHub
**GlassWorm** was reported as a self-propagating supply-chain malware campaign that spread through developer ecosystems including the **VS Code Marketplace**, **OpenVSX**, **npm**, **PyPI**, and **GitHub** repositories. Reporting indicates the malware abused **invisible Unicode characters** to hide malicious logic inside extensions and packages, allowing payloads to evade casual review while embedding decoder routines, command-and-control markers, and other indicators of compromise. One wave specifically targeted **macOS** users through poisoned OpenVSX extensions, expanding the campaign beyond code repositories into developer workstations. Security researchers and defenders responded by publishing detection guidance and tooling to hunt for GlassWorm artifacts across local Git repositories, VS Code extensions, and package dependencies. The open-source **`glassworm-hunter`** project was released to scan for hidden Unicode payloads, decoder patterns, C2 markers, and known malicious IOCs, reflecting concern that the campaign crossed multiple software distribution channels rather than a single marketplace. The incident highlights a broad software supply-chain intrusion in which trusted developer platforms were used to distribute stealthy malware concealed inside seemingly legitimate code.
May 31, 2026