A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day.
By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, the attackers have turned routine development workflows into entry points for data theft, credential harvesting, and persistent system access.
The campaign first surfaced in October 2025, when malicious Visual Studio Code and OpenVSX extensions appeared on developer marketplaces.
In the first wave alone, roughly 35,800 developers were reportedly infected. Since then, Glassworm has grown steadily, expanding into Python repositories on GitHub, npm packages in the React Native ecosystem, and AI-related development tooling.
Analysts at CrowdStrike and other security firms have flagged the growing scale and sophistication of this campaign. The malware operates in multiple stages, moving from a loader to credential theft and then to a persistent backdoor that lets the attacker maintain access long after the initial infection.
What makes Glassworm especially alarming is who it targets. Developers often keep cloud credentials, SSH keys, API tokens, and cryptocurrency wallets stored locally on their machines.
A single compromised workstation can expose an entire organization’s infrastructure and trigger downstream attacks across dozens of connected repositories.
Infection cycle (Source – CrowdStrike)
The attack chain begins quietly. A developer installs what looks like a trusted extension or package, and the malware activates in the background. It harvests secrets and passes stolen credentials to attacker-controlled servers, often before anyone realizes something is wrong.
According to CrowdStrike’s report shared with Cyber Security News (CSN), Sonatype Security Research identified two hijacked React Native npm packages that together received over 30,000 downloads per week, both modified to deliver multi-stage malware tied to this same campaign.
Developer-Targeting Glassworm Malware
Glassworm delivers its payload through several channels. Malicious VS Code and Cursor extensions serve as the primary entry point, with some legitimate publisher accounts being compromised to push malicious updates.
This approach let attackers reach thousands of users without raising immediate suspicion from the platforms.
Once on a developer’s machine, Glassworm steals GitHub tokens from multiple sources, including VS Code storage, the git credentials file, and local environment variables.
The attacker then uses those tokens to force-push malware into every repository linked to the victim’s account.
The injection preserves the original commit author and date, making it look like nothing in the project history has changed.
At the same time, two widely used npm packages in the React Native ecosystem, which together saw over 30,000 weekly downloads, were found hijacked and modified to run a malicious install script.
C2 Infrastructure and disruption (Source – CrowdStrike)
That script would check whether the system was set to a Russian locale and skip execution if so, a tactic commonly used to avoid attracting attention from law enforcement in certain regions.
The malware uses the Solana blockchain as its command-and-control channel. Instead of connecting to a server that could be taken offline, it reads instructions from transaction memos attached to a specific Solana wallet.
The attacker can update payload locations at any time by posting a new transaction, and those instructions cannot be deleted or censored once recorded on-chain.
Stealth Techniques and What Gets Stolen
Glassworm goes to real lengths to stay hidden. One method involves invisible Unicode characters embedded in source code.
These characters render as blank whitespace in editors and GitHub’s code review interface, making the hidden payload effectively invisible to anyone reading the code normally.
The multi-stage payload further complicates detection. The first stage is a loader, the second steals credentials and cryptocurrency wallet data, and the third deploys a persistent backdoor using WebSockets.
A malicious Chrome extension is also installed to capture browser session data. The final payload is encrypted with AES and the decryption key is only sent via server response headers, making static analysis close to impossible.
Security teams should audit all installed VS Code extensions and remove anything unrecognized. Developers are advised to rotate GitHub tokens and cloud credentials on any system that may have been exposed. Enabling multi-factor authentication across all developer platforms is essential.
Organizations should also watch for outbound connections to Solana RPC endpoints or unknown IP addresses, as this kind of traffic has no place in a normal development pipeline.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSolana Wallet (C2)BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SCPrimary Solana blockchain C2 address used to receive payload instructions via transaction memos Solana Wallet (Funding)G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3tFunding wallet that seeded the C2 address; holds approximately 495 SOL IP Address45.32.151.157C2 payload server, active December 2025 (Vultr hosting range) IP Address45.32.150.97C2 payload server, active February 2026 (Vultr hosting range) IP Address217.69.11.57C2 payload server, active February 2026 (Russian hosting range) IP Address217.69.11.99C2 payload server, active February–March 2026; C2 server on port 5000, DHT on port 10000 IP Address217.69.0.159C2 payload server, active March 2026 (confirmed by live monitoring) IP Address45.76.44.240C2 payload server, active March 2026 (Vultr hosting range) File~/init.jsonPersistence file created by malware to prevent repeated execution within two days Filei.jsJavaScript payload file written to script directory during execution File/tmp/ijewfTemporary file artifact dropped during infection File/tmp/out.zipTemporary archive artifact dropped during infection Code MarkerlzcdrtfxyqiplpdBase64 payload variable name used as a fingerprint across all compromised Python repos XOR Key134XOR decryption key used in the three-layer obfuscation scheme Malicious Packagereact-native-country-select v0.3.91Hijacked React Native npm package delivering multi-stage malware (~20,000 weekly downloads) Malicious Packagereact-native-international-phone-number v0.11.8Hijacked React Native npm package delivering multi-stage malware (~10,000 weekly downloads) Malicious Extensionquartz.quartz-markdown-editorAbused OpenVSX extension identified in the Glassworm campaign Malicious Extensionoorzc.ssh-toolsAbused OpenVSX extension identified in the Glassworm campaign Malicious Extensionoorzc.i18n-tools-plusAbused OpenVSX extension identified in the Glassworm campaign Malicious Extensionoorzc.mind-mapAbused OpenVSX extension identified in the Glassworm campaign Malicious Extensionoorzc.scss-to-css-compileAbused OpenVSX extension identified in the Glassworm campaign Malicious Package@iflow-mcp/watercrawl-watercrawl-mcpMalicious npm MCP-style package linked to Glassworm campaign Malicious Package@aifabrix/miso-clientMalicious npm MCP-style package linked to Glassworm campaign
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub appeared first on Cyber Security News.
