GlassWorm malware has re-emerged with a coordinated and sophisticated supply-chain attack, targeting over 400 code repositories, packages, and extensions across major development platforms including GitHub, npm, VSCode, and OpenVSX. This insidious campaign, first identified in October 2025, leverages “invisible” Unicode characters to cloak malicious code, rendering it exceptionally difficult to detect through conventional code review processes.
Attributed to Russian-speaking threat actors, the GlassWorm campaign exhibits a self-propagating worm-like behavior designed to pilfer sensitive information and compromise developer environments. Notably, the malware is programmed to bypass execution if a Russian locale is detected on the system, a common tactic for such groups. Security researchers from Aikido, Socket, Step Security, and the OpenSourceMalware community have been at the forefront of identifying and dissecting this evolving threat, providing critical insights into its mechanisms and objectives.
The Anatomy of the GlassWorm Malware
The capabilities of the GlassWorm malware are extensive and alarming, designed for maximum impact within the development ecosystem. Its primary objectives include credential theft, targeting a wide array of platforms such as NPM, GitHub, Git, OpenVSX, GitLab, and Azure DevOps. This also extends to harvesting SSH keys and access tokens, providing attackers with deep access to victim infrastructure. Beyond credentials, the malware aggressively seeks financial gain by targeting 49 different cryptocurrency wallet extensions, aiming to drain funds directly from developers.
For persistent control and evasion, GlassWorm deploys SOCKS proxy servers to anonymize attacker traffic and circumvent firewalls. It also installs hidden VNC servers, facilitated by the “ZOMBI” RAT, granting attackers complete remote access to compromised systems. A particularly concerning new offshoot, codenamed “ForceMemo,” involves injecting malicious code into developer projects, specifically Python files like setup.py, main.py, and app.py. This is achieved by force-pushing changes to GitHub repositories using stolen tokens, ensuring widespread infection at the source.
The self-propagating nature of GlassWorm is a key factor in its rapid spread. By utilizing stolen credentials, the malware automatically compromises additional packages and extensions, creating an exponential infection curve across the supply chain. This makes containment incredibly challenging for affected organizations and individual developers alike.
A Timeline of GlassWorm Malware Attacks
The campaign has unfolded in several distinct waves, demonstrating the attackers’ persistence and adaptability. The initial detection of malicious npm packages using invisible Unicode characters by Aikido dates back to March 2025. By October 17, 2025, GlassWorm was officially observed compromising seven OpenVSX extensions, leading to approximately 35,800 downloads. A second iteration in November 2025 infected three VS Code extensions, tallying around 10,000 downloads, and the malware concurrently surfaced in GitHub repositories, with its command-and-control (C2) infrastructure becoming active by November 27, 2025.
Late January 2026 saw another significant attack, compromising a developer’s account and affecting four extensions with over 22,000 downloads. The most recent and alarming mass wave emerged in March 2026, with widespread compromises on GitHub between March 3 and March 9. Researchers collectively identified 433 compromised components this month, with the earliest GitHub repository injections traced back to March 8, 2026.
“The sophisticated use of invisible Unicode characters highlights a significant blind spot in traditional code review, making GlassWorm an exceptionally stealthy and dangerous threat to the software supply chain.”
Targeted Platforms and Motivations
The attacks have been broadly distributed, affecting hundreds of code repositories on GitHub, particularly Python projects including Django applications, ML research code, Streamlit dashboards, and PyPI packages. npm has also seen a proliferation of malicious packages and extensions. On VSCode and OpenVSX, hundreds of extensions have been compromised, with 72 new malicious extensions linked to the campaign on OpenVSX since January 31, 2026.
The overarching motivation behind the GlassWorm malware campaign is clearly financial gain, primarily through cryptocurrency theft and the establishment of robust criminal infrastructure. By compromising developer accounts and injecting malware into widely used code repositories and extensions, the attackers can achieve widespread infection and persistent control over victim machines. The innovative use of invisible code, coupled with decentralized command-and-control infrastructure leveraging the Solana blockchain and Google Calendar as a backup, renders the malware highly evasive and resilient to takedowns, posing a severe and ongoing threat to the global software development community and related related Tech news.




