GlassWorm Malware Hits 400+ Code Repos with Invisible Payloads

GlassWorm is a supply chain malware campaign that compromises developer tools and code repositories to steal credentials, cryptocurrency wallet data, and sensitive access tokens. The name comes from the malware's signature technique: encoding payloads inside invisible Unicode characters that pass through code like light through glass - completely undetectable to the human eye.

The campaign first surfaced in October 2025 when seven OpenVSX extensions were compromised, racking up 35,800 total downloads before security researchers caught it. Since then, GlassWorm has launched five distinct attack waves, each one bigger and more aggressive than the last. The March 2026 wave - the fifth - hit 433 components across GitHub, npm, the VSCode Marketplace, and the OpenVSX registry.

What makes GlassWorm particularly dangerous is its self-propagating nature. Stolen credentials from infected developers are immediately reused to compromise additional repositories and packages, creating a chain reaction. A developer installs one bad extension, their GitHub credentials get harvested, and within minutes their own repos are injected with the same invisible malware.

• First detected: October 2025, targeting OpenVSX extensions with 35,800 downloads
• Five attack waves: Each escalation has expanded to new platforms and used more advanced evasion
• 433 components compromised: In March 2026 alone, spanning four distinct code ecosystems
• Self-propagating: Stolen credentials are automatically used to infect new repositories
• Severity rating: Aikido flags all GlassWorm-affected packages as 100/100 severity

The core technique is a form of steganography - hiding data in plain sight. GlassWorm encodes malicious payloads inside PUA (Private Use Area) Unicode characters in the ranges U+FE00 to U+FE0F and U+E0100 to U+E01EF. These characters are rendered as nothing by every mainstream code editor, terminal, diff tool, and code review interface. A backtick string that appears completely empty in your IDE can contain a full malicious payload. Once decoded, the hidden content gets passed directly to JavaScript's eval() function for execution.

The initial compromise usually starts on GitHub, where attackers take over developer accounts and force-push malicious commits. They rewrite git history while preserving original commit messages and timestamps, so the repository appears completely untouched. From there, malicious packages and extensions are published on npm and VSCode/OpenVSX with the same invisible payloads.

For command and control, GlassWorm uses the Solana blockchain - a system that can't be taken down through standard domain seizures. The malware queries the blockchain every five seconds for new instructions. Between November 27, 2025 and March 13, 2026, Step Security recorded 50 transactions on the attacker's Solana address, mostly updating the payload URL. Google Calendar serves as a fallback C2 channel. This is a triple-layer C2 setup designed for maximum resilience.

The scale points to automation. Aikido assessed that attackers are almost certainly using LLM-generated cover commits to disguise injections. Each malicious commit comes wrapped in what looks like a normal contribution - a documentation update, a version bump, a small bug fix. The changes are project-specific, matching the coding style of each repository. Manually crafting 150+ unique code changes across different codebases is not feasible - this is AI-assisted at scale.

Once the malware executes on a developer's machine, it goes to work:

• Credential theft: Harvests npm, GitHub, and Git credentials from the local environment
• Crypto wallet targeting: Scans for and steals data from 49 different cryptocurrency wallet extensions
• SSH key exfiltration: Copies SSH keys that could grant access to production servers and infrastructure
• SOCKS proxy deployment: Turns developer machines into proxy infrastructure for criminal operations
• Hidden VNC servers: Installs remote access tools giving attackers full control of compromised systems
• Locale check: Skips execution on systems configured with a Russian locale

The fifth wave added another wrinkle: targeting MCP (Model Context Protocol) servers. These are add-ons for AI coding assistants like Claude and Cursor. GlassWorm published a fake version of a popular legitimate MCP server on npm. If a developer installs it, the malware gains full system access through the AI assistant's permissions.

The direct targets are software developers - specifically anyone who installs npm packages, uses VS Code extensions, or pulls code from GitHub repositories. But the blast radius extends well beyond that. The compromised components include repositories from Wasmer (a WebAssembly runtime used by major companies), Reworm (a state management library), and opencode-bench from anomalyco, the organization behind OpenCode and SST. Popular React Native packages with over 130,000 monthly downloads were also hit.

Socket identified 72 malicious OpenVSX extensions linked to the same campaign. Because VS Code extensions auto-update by default, the malware can reach users silently - no interaction required beyond having the extension installed. The previous GlassWorm wave in January 2026 compromised four extensions with a combined download count of over 22,000. Every one of those users was infected automatically.

• Developers: Anyone using npm, VS Code, OpenVSX, or pulling from GitHub repos during the compromise window
• IT service providers: MSPs and IT teams using development tools that pull open-source dependencies
• End-user businesses: Companies running applications built with infected packages, even if they don't develop software internally
• AI tool users: Developers using MCP servers with AI assistants like Claude and Cursor

Multiple security firms have linked all five GlassWorm waves to a single threat actor based on three pieces of evidence: the same Solana blockchain address used for C2 across all platforms, identical or functionally similar payloads, and shared infrastructure. The consistency across attack waves and ecosystems points to a well-organized operation, not a loose collective.

Several indicators suggest a Russian origin. The malware includes a locale check that skips execution on systems configured with a Russian language setting - a common technique used by Russian cybercriminal groups to avoid targeting domestic systems and the legal scrutiny that brings. Cybernews reported that the attackers are "likely originating from Russia" based on behavioral and technical analysis.

The operation is also well-funded. Step Security found a funding wallet linked to the attackers holding over $18,000 in cryptocurrency. The Solana C2 address had its earliest transaction on November 27, 2025 - over three months before the current campaign started - suggesting the attacker was running other infection operations before pivoting to the large-scale GitHub campaign. The attacker regularly updates the payload URL, sometimes multiple times per day, indicating active and ongoing operational management.

If your business has developers or uses tools built on open-source components, these steps need attention immediately. The GlassWorm campaign is still active, and while extension marketplaces have removed many of the malicious listings, compromised repositories remain on GitHub. Researchers warn that attackers can compromise new repositories within minutes.

• Audit all installed VS Code extensions: Check for abnormal activity including suspicious network connections, vulnerable dependencies, and unusual API usage. Remove extensions that are no longer in active use - each installed extension expands your attack surface
• Review npm dependencies: Scan your package-lock.json or yarn.lock files for known compromised packages. Pay particular attention to @aifabrix/miso-client version 4.7.2 and @iflow-mcp/watercrawl-watercrawl-mcp versions 1.3.0 through 1.3.4
• Disable auto-update on extensions: A compromised extension can deliver malware silently through the update mechanism. Evaluate extension updates manually before applying them
• Enable MFA on all developer accounts: GitHub, npm, and VS Code Marketplace accounts should all have multi-factor authentication enabled. Stolen credentials are the primary vector for spreading infections
• Check Git history for anomalies: Look for force-pushed commits, especially between March 3-9, 2026. GlassWorm rewrites git history while preserving original timestamps
• Monitor for suspicious network activity: Watch for connections to Solana RPC endpoints or unusual outbound traffic patterns, particularly queries occurring at regular 5-second intervals
• Scan for indicators of compromise: Look for unexpected Node.js runtime downloads, hidden VNC processes, or SOCKS proxy services running on developer machines
• Use supply chain scanning tools: Tools like Aikido Safe Chain can intercept malicious packages during installation before they execute

For businesses in the Houston area that don't have dedicated security teams to handle this kind of assessment, a managed IT provider with cybersecurity capabilities can run these checks across your environment. This is not a "wait and see" situation - the GlassWorm campaign has been operating for five months and is actively escalating.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

Supply chain attacks like GlassWorm are exactly the kind of threat that most small businesses don't have the internal resources to detect or respond to on their own. Here's how we help:

• Endpoint monitoring and threat detection: We monitor your devices for suspicious processes, unusual network connections, and indicators of compromise associated with active campaigns like GlassWorm
• Credential and access management: We enforce multi-factor authentication across your accounts and monitor for credential exposure on dark web and breach databases
• Software supply chain assessment: We evaluate the tools and applications your business depends on to identify exposure to compromised packages and dependencies
• Network security monitoring: We watch for C2 traffic patterns - including the blockchain-based communications GlassWorm uses - across your network perimeter
• Incident response planning: We help your business build and test response procedures so you're not scrambling if a supply chain compromise touches your environment
• Security awareness training: We educate your team on the risks of installing unverified software, extensions, and packages - the behaviors that give campaigns like GlassWorm their entry point

In 30+ years of managing IT for businesses across Sugar Land, Cypress, The Woodlands, and the greater Houston metro, we've seen supply chain threats evolve from theoretical risks to active campaigns hitting small and mid-sized businesses. The businesses that handle these situations best are the ones that have monitoring in place before the incident, not after.