Follow on X RSS Feed
Malware

GlassWorm Exploits Trust in Open Source Ecosystems

Cybersec Sentinel

5 min read
GlassWorm Exploits Trust in Open Source Ecosystems

Threat Group – Unattributed
Threat Type – Supply chain malware, infostealer, credential theft
Exploited Vulnerabilities – No CVE assigned. Abuse of trusted package registries, compromised publisher access, stolen developer credentials, invisible Unicode obfuscation, and extension dependency abuse
Malware Used – GlassWorm loader and follow on JavaScript based payloads
Threat Score – 8.7 🔥 Critical
Last Threat Observation – March 17, 2026

Overview

GlassWorm is a rapidly evolving supply chain malware campaign targeting developers and software ecosystems. It began with malicious Visual Studio Code and Open VSX extensions but has expanded into GitHub repositories, npm packages, and AI related development tooling.

Recent activity shows a clear shift toward multi ecosystem propagation. The operators are leveraging compromised publisher accounts, dependency chains, and stolen developer credentials to distribute payloads at scale. This increases both the reach and trust level of the malware, making detection significantly more difficult.

GlassWorm is particularly dangerous because it targets developer environments that often contain high value secrets such as cloud credentials, SSH keys, API tokens, and cryptocurrency wallets. A single compromised workstation can lead to broader enterprise compromise and downstream supply chain exposure.

Key Details

Delivery Method – Malicious extensions, compromised publisher accounts, dependency chain abuse, npm packages, and injected code in GitHub repositories

Target – Developers, DevOps engineers, open source maintainers, AI assisted development environments, and cryptocurrency users

Functions

  • Steals browser session data, credentials, and wallet information
  • Extracts developer secrets such as AWS keys, SSH keys, and VPN configurations
  • Collects data from desktop crypto wallets and local keychains
  • Uses blockchain based command channels to dynamically retrieve payload instructions
  • Enables further spread through account takeover and repository compromise

Obfuscation – Invisible Unicode encoding, runtime payload reconstruction, staged loaders, AES encrypted second stage payloads, and dependency based execution paths

Attack Vectors

GlassWorm uses a highly deceptive technique involving invisible Unicode characters to hide malicious payloads. These characters appear blank in editors and code reviews, allowing attackers to embed executable code that is not visible during normal inspection.

The malware is commonly delivered through trusted development channels. In multiple cases, legitimate extension publisher accounts were compromised and used to distribute malicious updates. This allows the attackers to reach thousands of users without needing to create new or suspicious packages.

A major evolution in the campaign is the use of dependency chains. Attackers publish seemingly harmless extensions or packages that later introduce malicious dependencies. This means the actual payload may not exist in the original package, making detection far more complex.

GlassWorm has also expanded into GitHub repository compromises. Attackers use stolen credentials to perform force pushes that inject obfuscated malware directly into project codebases. This enables downstream infection when users pull or build affected repositories.

More recently, the campaign has moved into AI development tooling, particularly MCP style packages. These components often run locally with access to environment variables, files, and API keys, making them high value targets for credential theft.

The use of blockchain based command channels, specifically Solana transaction memos, provides resilience. Attackers can update payload locations dynamically without modifying the original malicious package, complicating takedown efforts.

Known Indicators of Compromise

Infrastructure Indicators

Solana Wallets

  • BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC
  • G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3t

IP Addresses Defanged

  • 45[.]32[.]151[.]157
  • 45[.]32[.]150[.]251
  • 217[.]69[.]11[.]57
  • 217[.]69[.]11[.]99
  • 217[.]69[.]0[.]159
  • 45[.]76[.]44[.]240

File and Host Artefacts

  • ~/init.json
  • i.js
  • /tmp/ijewf
  • /tmp/out.zip

Code Level Indicators

  • Variable marker lzcdrtfxyqiplpd
  • XOR key value 134
  • Presence of invisible Unicode encoded payload strings
  • Runtime decoded JavaScript execution logic
  • Locale evasion checks targeting Russian language settings

Malicious or Abused Packages and Extensions

  • @iflow-mcp/watercrawl-watercrawl-mcp
  • @aifabrix/miso-client
  • quartz.quartz-markdown-editor
  • oorzc.ssh-tools
  • oorzc.i18n-tools-plus
  • oorzc.mind-map
  • oorzc.scss-to-css-compile

Mitigation and Prevention

Mitigation Checklist

User Awareness
Educate developers that trusted platforms such as npm, GitHub, and extension marketplaces can still host malicious content. Emphasise the risks of installing new packages or updates without verification.

Account Alert Monitoring
Monitor for password reset notifications, suspicious login alerts, unusual repository access changes, publisher account changes, and unexpected security notifications from GitHub, npm, cloud platforms, and extension marketplaces.

Antivirus Protection
Ensure endpoint detection and response solutions are deployed on developer systems. Enable behavioural detection for suspicious file access, archive creation, and unusual runtime execution patterns.

Two Factor Authentication 2FA
Enforce strong multi factor authentication across GitHub, npm, cloud platforms, and extension publishing portals. Rotate credentials and tokens regularly.

Log Monitoring
Monitor for force pushes to repositories, unexpected dependency changes, unusual package updates, and outbound traffic to unknown infrastructure or blockchain related endpoints.

Regular Updates
Audit installed extensions and packages regularly. Remove untrusted or unnecessary components. Pin dependencies and review update histories before applying new versions.

Additional Defensive Priorities

  • Detect invisible Unicode usage in source code and packages
  • Restrict extension installation to approved allow lists
  • Treat developer endpoints as high value assets requiring stronger controls
  • Limit access to sensitive credentials using vaulting and just in time access
  • Review AI development tool integrations before adoption

Risk Assessment

GlassWorm represents a critical level threat due to its combination of stealth, scale, and impact.

It operates within trusted ecosystems, making user driven execution highly likely. The malware targets high value developer environments that contain credentials capable of unlocking cloud infrastructure, source code, and financial assets.

The campaign demonstrates strong adaptability. It has evolved from simple malicious extensions into a multi stage supply chain attack that spans repositories, package managers, and AI tooling.

Its use of decentralised command channels increases resilience and complicates disruption efforts. Combined with credential theft and repository compromise, GlassWorm can enable large scale downstream attacks.

The risk is not limited to individual developers. Organisations using affected tools or repositories may inherit compromise through normal development workflows.

Conclusion

GlassWorm is a modern supply chain threat that directly targets the trust relationships within software development ecosystems. It leverages stealth techniques, compromised accounts, and dependency chains to distribute malware at scale.

Organisations should assume that developer environments are high risk targets and implement controls accordingly. Immediate actions should include auditing extensions and packages, rotating credentials, reviewing repository activity, and strengthening authentication across all developer platforms.

Failure to address this threat could result in credential theft, source code compromise, financial loss, and broader supply chain exposure.

Sources

Socket.dev – GlassWorm Loader Hits Open VSX via Suspected Developer Account Compromise – https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise
Aikido Security – Glassworm Is Back A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories – https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
Aikido Security – Glassworm Strikes React Packages via Hidden Unicode Payloads – https://www.aikido.dev/blog/glassworm-strikes-react-packages-phone-numbers
Koi Security – GlassWorm Hits MCP Fifth Wave with New Delivery Techniques – https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques
Microsoft – Behavior Win32 GlassWorm A MTB Malware Description – https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/GlassWorm.A!MTB
BleepingComputer – GlassWorm Malware Hits Over 400 Code Repositories Across GitHub npm VSCode and OpenVSX – https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/