GlassWorm Supply-Chain Worm Hits VS Code, OpenVSX, npm, PyPI, and GitHub
GlassWorm was reported as a self-propagating supply-chain malware campaign that spread through developer ecosystems including the VS Code Marketplace, OpenVSX, npm, PyPI, and GitHub repositories. Reporting indicates the malware abused invisible Unicode characters to hide malicious logic inside extensions and packages, allowing payloads to evade casual review while embedding decoder routines, command-and-control markers, and other indicators of compromise. One wave specifically targeted macOS users through poisoned OpenVSX extensions, expanding the campaign beyond code repositories into developer workstations.
Security researchers and defenders responded by publishing detection guidance and tooling to hunt for GlassWorm artifacts across local Git repositories, VS Code extensions, and package dependencies. The open-source glassworm-hunter project was released to scan for hidden Unicode payloads, decoder patterns, C2 markers, and known malicious IOCs, reflecting concern that the campaign crossed multiple software distribution channels rather than a single marketplace. The incident highlights a broad software supply-chain intrusion in which trusted developer platforms were used to distribute stealthy malware concealed inside seemingly legitimate code.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Researchers link GlassWorm to PyPI and hijacked React Native npm packages
CrowdStrike and Sonatype linked the GlassWorm campaign to activity involving PyPI repositories and hijacked React Native npm packages with more than 30,000 weekly downloads. The reporting also described Solana blockchain-based command-and-control and additional credential- and wallet-theft capabilities, expanding the known scope and tradecraft of the campaign.
OSV withdraws 157 likely automated false-positive malware reports
One day after the GlassWorm takedown, the OSV database withdrew 157 malware reports after maintainers concluded the submissions were likely automated false positives. The development was reported in the context of growing noise around supply-chain security reporting.
CrowdStrike attributes GlassWorm to Russian threat actors
Following reporting on the coordinated disruption of GlassWorm, CrowdStrike said the operation was likely conducted by Russian threat actors. The attribution was based on CIS-avoidance logic, Russian-language comments in the malware, and broader tradecraft patterns.
Coordinated takedown disrupts GlassWorm command-and-control channels
CrowdStrike, working with Google and the Shadowserver Foundation, announced a coordinated disruption of all four command-and-control channels used by the GlassWorm campaign. The report said the operation targeted resilient infrastructure including Solana blockchain, BitTorrent DHT, Google Calendar, and VPS-hosted channels supporting the developer-focused supply-chain malware.
Glassworm-hunter tool released to scan for GlassWorm indicators
A public GitHub tool, glassworm-hunter, was released to detect GlassWorm indicators in VS Code extensions, npm and PyPI packages, and local Git repositories. The tool searches for invisible Unicode payloads, decoder patterns, command-and-control markers, and known malicious IOCs.
OpenSource Malware details GlassWorm spread across GitHub, npm, Open VSX and VS Code
Technical analysis expanded the known scope of the GlassWorm campaign, describing activity across GitHub repositories, npm packages, Open VSX, and VS Code. The report characterized the operation as a multi-platform supply-chain intrusion using related tactics across ecosystems.
TechRadar reports GlassWorm targeting macOS via OpenVSX extensions
Reporting highlighted that GlassWorm was being used to target macOS users through malicious OpenVSX extensions. The coverage framed the activity as an active malware threat delivered through the extension marketplace.
GlassWorm worm first hits Open VSX and VS Code extension ecosystems
GlassWorm was identified as a self-propagating supply-chain worm affecting the Open VSX and VS Code extension ecosystems. Early reporting described invisible-code techniques and malicious extension propagation as the core of the campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Supply chain battles intensify as takedowns meet AI-driven noise | InfoWorld
infoworld.com
Open sourceСпециалисты отключили инфраструктуру ботнета Glassworm - Хакер
xakep.ru
Open sourceGlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
thehackernews.com
Open sourceHow cybersecurity firms took down Glassworm botnet in one shot
securityaffairs.com
Open sourceInvisible Threats and the Blind Spots of Security | Endor Labs
endorlabs.com
Open sourceFour Arms, One Monster: GlassWorm Invades GitHub, NPM, Open VSX and VS Code | OpenSource Malware Blog
opensourcemalware.com
Open sourceDangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe | TechRadar
techradar.com
Open sourceFirst Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace
koi.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Glassworm Supply-Chain Attack Hides Malicious Code in Invisible Unicode
Researchers reported a **software supply-chain campaign** attributed to **Glassworm** that hid malicious JavaScript inside **invisible Unicode characters** embedded in GitHub repositories, with the activity also spreading to **npm** and the **VS Code Marketplace**. Aikido Security identified at least **151 compromised GitHub repositories**, with infections observed between **March 3 and March 9**, and warned the visible set was likely incomplete because some repositories had already been removed. The technique abuses Unicode Private/Variation Selector ranges such as `0xFE00-0xFE0F` and `0xE0100-0xE01EF`, causing malicious content to appear as blank space to human reviewers and many code-inspection workflows. The hidden payload is decoded at runtime and executed through `eval()`, allowing attackers to conceal a full second-stage loader inside apparently empty strings. Reporting on the campaign says prior **Glassworm** activity used the decoded script to retrieve follow-on malware via the **Solana blockchain** as a command-and-control channel, enabling theft of **tokens, credentials, and secrets**. The attack is notable because the Unicode characters are effectively invisible in editors and terminals, undermining manual review and some static analysis, and because it targeted trusted developer distribution channels rather than end users directly.
Mar 25, 2026
GlassWorm Supply Chain Attack on Visual Studio Code Extensions
A sophisticated supply chain attack has targeted Visual Studio Code (VS Code) extensions, leveraging a self-propagating worm known as GlassWorm. Security researchers at Koi Security discovered the malware after identifying suspicious behavior in an extension called CodeJoy on the OpenVSX marketplace. The worm employs a novel technique using invisible Unicode characters, making the malicious code undetectable to the human eye within code editors. This approach allows the malware to evade traditional detection methods and remain stealthy within compromised extensions. GlassWorm utilizes the Solana blockchain as its primary command-and-control (C2) channel, with Google Calendar serving as a backup C2 infrastructure, enhancing its resilience and making takedown efforts more challenging. The worm has already infected nearly 36,000 developer machines, indicating a significant impact on the developer ecosystem. Once installed, GlassWorm harvests credentials from NPM, GitHub, and Git, enabling it to propagate further by compromising additional packages and extensions. The malware also targets cryptocurrency wallets, seeking to steal digital assets from affected users. Infected systems are converted into SOCKS proxy servers, effectively turning developer machines into part of the attacker's extended C2 infrastructure. Additionally, GlassWorm installs hidden virtual network computing (VNC) servers, granting attackers full remote access to compromised machines. The attack highlights the growing risks associated with open-source marketplaces and the potential for widespread compromise through popular development tools. Security experts emphasize the importance of scrutinizing extension code and implementing stronger guardrails in extension marketplaces to prevent similar attacks. The use of invisible Unicode and blockchain-based C2 channels represents a significant evolution in malware stealth and persistence. The incident underscores the need for developers and organizations to monitor for unusual extension behavior and to regularly audit installed extensions for signs of compromise. The attack also demonstrates the potential for supply chain threats to rapidly scale, given the interconnected nature of developer tools and platforms. As the investigation continues, security vendors and marketplace operators are working to identify and remove malicious extensions and to strengthen defenses against future supply chain attacks.
Apr 25, 2026
GlassWorm Supply-Chain Campaign Compromising GitHub Repositories and Packages
The **GlassWorm** campaign is compromising open-source software supply chains by using stolen developer credentials and stealthy code injection techniques to backdoor repositories, packages, and extensions on **GitHub**, **npm**, **PyPI**, and the **VS Code Marketplace**. Reporting describes attackers inserting obfuscated payloads into legitimate projects, including popular repositories and Python codebases, then hiding the malicious logic with tactics such as invisible **Unicode PUA** characters, Base64 encoding, and history rewriting that preserves original commit metadata. The malware is designed to steal secrets, credentials, and access tokens, and in some cases retrieves follow-on payload information through **Solana** transaction memo fields to make exfiltration and command delivery harder to detect. The campaign appears broad and operationally mature, with one report citing at least **151 compromised GitHub repositories** in early March and another describing hundreds of affected Python repositories targeted through force-pushed malicious commits. Attackers reportedly append payloads to files such as `setup.py`, `main.py`, and `app.py`, while earlier access is linked to compromised developer environments, including malicious **VS Code** and **Cursor** extensions used to steal GitHub tokens. The activity affects multiple ecosystems and developer workflows, indicating a sustained supply-chain threat rather than isolated repository tampering, with risks extending to downstream users who install or execute code from infected projects.
Mar 21, 2026