Monday 06 July 2026 22:54:42 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

“Invisible” Intruders: GlassWorm Malware Unleashes Massive Supply Chain Assault on Open-Source Ecosystem

Published: 18 March 2026 01:09Category: Cyber Intelligence & Threat TrendsAuthor: LOGICFALCON

Subtitle: Over 400 code repositories and extensions on GitHub, npm, and VSCode have been compromised in a sprawling, stealthy malware campaign.

It began with a whisper in the code. When developers across the globe noticed oddities in their projects-unexplained files, strange commit histories, and cryptic Unicode characters-they were already caught in the web of GlassWorm. This latest supply chain attack isn’t just a technical feat; it’s a wake-up call for the open-source world, where trust is currency and invisible threats can strike at the heart of innovation.

The GlassWorm campaign, first detected in October, has returned with unprecedented scale and sophistication. Security researchers from Aikido, Socket, Step Security, and the OpenSourceMalware community have traced over 400 infected repositories and packages back to a single threat actor, likely Russian-speaking, based on code comments and regional avoidance techniques. The attackers’ playbook is as creative as it is concerning: they compromise developer accounts on GitHub, force-push malicious commits, and then propagate their tainted packages through npm and VSCode’s extension marketplaces-platforms trusted by millions.

What makes GlassWorm particularly insidious is its use of invisible Unicode characters, which cloak malicious code lines from the naked eye. These “ghost” instructions harvest sensitive information, including crypto wallet data and developer credentials, while evading standard code reviews. Once inside, the malware persists by creating stealthy files (like ~/init.json) and even installs a hidden Node.js runtime-often overlooked by antivirus solutions.

The attackers coordinate their operations using the Solana blockchain, sending new instructions every five seconds via blockchain transactions. Each memo contains updated payload URLs, turning the blockchain into a decentralized command center. The malware executes JavaScript-based stealers, siphoning off SSH keys, tokens, and other digital valuables. Telltale signs of compromise include the presence of the marker variable lzcdrtfxyqiplpd, unexpected node-v22* folders, and suspicious i.js files in cloned projects.

GlassWorm’s reach is broad: over 200 Python repositories, 151 JavaScript/TypeScript projects, 72 VSCode/OpenVSX extensions, and 10 npm packages have been confirmed affected. Even macOS users were targeted through trojanized crypto wallet clients and compromised extensions. The attackers’ infrastructure is shared across all platforms, with the campaign evolving through multiple waves, each more aggressive and widespread than the last.

For developers and organizations, the GlassWorm incident is a stark reminder that the open-source ecosystem’s strength-its openness and collaboration-is also its greatest vulnerability. Vigilance, code review hygiene, and rapid incident response are now more crucial than ever. As GlassWorm continues to evolve, the battle for supply chain security is only just beginning.

WIKICROOK

  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
  • Invisible Unicode Characters: Invisible Unicode characters are non-visible symbols used in text formatting, often exploited by attackers to conceal malicious code or deceive users.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
  • Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.