CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GlassWorm malware targets OpenVSX, VS Code registries

First reported
Last updated
2 unique sources, 15 articles

Summary

Hide ▲

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, with the latest iteration leveraging Solana dead drops for C2, a novel browser extension for surveillance, and a shift into the Model Context Protocol (MCP) ecosystem. The campaign now delivers a .NET binary that targets Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data, executes arbitrary code, and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline to perform session surveillance on cryptocurrency platforms like Bybit and harvest extensive browser data. Additionally, threat actors have begun distributing malicious payloads via npm packages impersonating the WaterCrawl MCP server, marking GlassWorm’s first confirmed incursion into the AI-assisted development ecosystem. The GlassWorm campaign remains a persistent supply chain threat impacting multiple ecosystems including npm, PyPI, GitHub, and Open VSX. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. The Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new large-scale social engineering campaign has emerged, using fake VS Code security alerts posted in GitHub Discussions to distribute malware. The campaign automates posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links in these posts redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers as part of the broader GlassWorm malware campaign.

Timeline

  1. 16.03.2026 21:37 3 articles · 11d ago

    GlassWorm malware campaign targets Python repositories using stolen GitHub tokens

    The GlassWorm malware campaign continues evolving with a new large-scale social engineering vector targeting developers on GitHub. Threat actors are distributing fake VS Code security alerts in GitHub Discussions to trick developers into downloading malware via realistic vulnerability advisories with fake CVE references and urgent language. The campaign uses automated posts from newly created or low-activity accounts across thousands of repositories within minutes to trigger GitHub email notifications, delivering fake VS Code extension patch links hosted on trusted services like Google Drive. These links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles victims—collecting timezone, locale, user agent, OS details, and automation indicators—serving as a traffic distribution system to filter targets before delivering additional malicious payloads. This coordinated, large-scale operation represents a sophisticated expansion of the GlassWorm campaign beyond its traditional supply chain compromises in npm, PyPI, GitHub, and OpenVSX registries.

    Show sources
    Open in new tab
  2. 08.11.2025 18:17 7 articles · 4mo ago

    GlassWorm operators identified as Russian-speaking using RedExt C2 framework

    GlassWorm operators are Russian-speaking and use the RedExt open-source C2 browser extension framework. The malware has impacted systems globally, including the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security accessed the attackers' server and obtained key data on victims, including user IDs for multiple cryptocurrency exchanges and messaging platforms. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  3. 02.11.2025 17:09 5 articles · 4mo ago

    GlassWorm threat actors pivot to GitHub using Unicode steganography

    The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,400 downloads), adhamu.history-in-sublime-merge (4,000 downloads), and yasuyuky.transient-emacs (2,400 downloads). The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  4. 31.10.2025 10:02 6 articles · 4mo ago

    Eclipse Foundation revokes leaked tokens and introduces security measures

    Open VSX has implemented additional security measures, including shortening token lifetimes, faster revocation workflows, automated security scans, and threat intelligence sharing. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  5. 20.10.2025 19:13 13 articles · 5mo ago

    GlassWorm malware campaign targets OpenVSX and VS Code registries

    The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories, enabling the supply chain attack. The leak was discovered by Wiz researchers two weeks ago, exposing over 550 secrets across Microsoft VSCode and Open VSX marketplaces. Some leaked tokens could give access to projects with 150,000 downloads, allowing threat actors to upload malicious versions of extensions. The Open VSX team and the Eclipse Foundation clarified that GlassWorm was not self-replicating but targeted developer credentials. The reported download count of 35,800 includes inflated downloads generated by bots and visibility-boosting tactics. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads), and yasuyuky.transient-emacs (2,431 downloads). The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

The TeamPCP threat group has expanded its supply chain campaign to compromise the popular LiteLLM Python package on PyPI, publishing malicious versions 1.82.7 and 1.82.8 that deploy the TeamPCP Cloud Stealer infostealer. The attack follows the group’s recent compromise of the Trivy vulnerability scanner and impacts organizations using the library’s LLM gateway functionality. The malicious payload executes upon package import, harvesting extensive credentials (SSH keys, cloud tokens, Kubernetes secrets, cryptocurrency wallets, and .env files) and attempting lateral movement via privileged Kubernetes pod deployment. Persistence is achieved through a disguised systemd service that contacts attacker infrastructure at checkmarx.zone. Exfiltrated data is encrypted and sent to models.litellm.cloud. Both malicious versions have been removed from PyPI, with version 1.82.6 now the latest clean release. TeamPCP’s campaign now spans CI/CD pipelines (Trivy, Checkmarx KICS), container registries (Aqua Security Docker Hub images), and LLM integration tools (LiteLLM), demonstrating industrialized supply chain exploitation with reused tooling and infrastructure. The group claims approximately 500,000 devices were compromised during the LiteLLM attack, though this figure remains unconfirmed. The broader incident highlights persistent risks in supply chain security where compromised security tools enable rapid worm propagation and cascading compromises across cloud-native environments. Key milestones include the initial Trivy compromise on March 19, 2026, the deployment of CanisterWorm and wiper attacks targeting Iran or Farsi-locale systems over March 21–22, 2026, and the expansion to additional targets such as LiteLLM. Security advisories emphasize the critical need for organizations to rotate all exposed credentials and inspect Kubernetes clusters for unauthorized pods, as cascading compromises often stem from unrotated secrets and tokens.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has escalated its multi-vector CanisterWorm campaign into a broader geopolitically targeted operation, now compromising trusted PyPI packages to deliver credential-stealing malware with automated execution mechanisms. The group has targeted the LiteLLM and Telnyx Python packages (versions 1.82.7, 1.82.8, 4.87.1, and 4.87.2), embedding malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files before exfiltrating data to attacker-controlled infrastructure and establishing persistent backdoors. The campaign began as a supply-chain attack involving 47 compromised npm packages and the @teale.io/eslint-config variant, leveraging ICP canisters for decentralized C2 and persistence via masqueraded systemd services. It escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and deployment of an infostealer, then pivoted to targeting CI/CD pipelines directly via GitHub Actions workflows (e.g., Checkmarx, Trivy) using stolen credentials. TeamPCP now compromises GitHub Actions workflows and Open VSX extensions to deploy the TeamPCP Cloud stealer, while refining destructive payloads targeting Iranian systems in Kubernetes environments with time-zone/locale-based wipers. Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply chain attack methodology, with evidence suggesting collaboration with the Vectr ransomware group for follow-on ransomware operations.

Open in new tab

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab

QuickLens Chrome Extension Compromised to Steal Cryptocurrency and Credentials

The QuickLens Chrome extension, initially a legitimate tool for Google Lens searches, was compromised to push malware and steal cryptocurrency and credentials from approximately 7,000 users. The malicious version 5.8, released on February 17, 2026, introduced ClickFix attacks and info-stealing functionality. The extension was removed from the Chrome Web Store by Google after the discovery. The compromised extension stripped browser security headers, communicated with a command-and-control (C2) server, and executed malicious JavaScript scripts on every page load. It targeted various cryptocurrency wallets, login credentials, payment information, and sensitive form data. The extension was sold on ExtensionHub on October 11, 2025, and ownership changed to '[email protected]' on February 1, 2026. The malicious update introduced code to fingerprint the user's country, detect the browser and operating system, and poll an external server every five minutes to receive JavaScript. The JavaScript code is stored in the browser's local storage and executed on every page load by adding a hidden 1x1 GIF <img> element. The same threat actor is behind the compromise of the QuickLens and ShotBird extensions, using an identical command-and-control (C2) architecture pattern. Users are advised to remove the extension, scan their devices for malware, and reset passwords.

Open in new tab