A large-scale supply-chain attack linked to the GlassWorm campaign has been observed, compromising hundreds of software components across major developer platforms. Multiple security researchers report that over 400 packages, repositories, and extensions were affected in the latest wave.
The campaign targeted 200 Python repositories and 151 JavaScript/TypeScript repositories on GitHub, along with 72 VSCode/OpenVSX extensions and 10 npm packages. Attackers gained initial access by compromising GitHub accounts and force-pushing malicious commits into existing projects.
The injected code uses obfuscation techniques, including invisible Unicode characters, to evade detection. Once installed, the malware connects to a command-and-control (C&C) system via the Solana blockchain, querying it every five seconds for instructions. The instructions are embedded in blockchain transaction memos and typically provide updated payload URLs.
The malware downloads a Node.js runtime and executes a JavaScript-based information stealer. It targets sensitive data such as cryptocurrency wallet information, developer credentials, SSH keys, and access tokens. Persistence is achieved through files like ~/init.json, and suspicious Node.js installations (e.g., ~/node-v22*) may appear on infected systems.
Researchers observed around 50 blockchain transactions between November 2025 and March 2026, mainly used to update malicious payloads.
Shared infrastructure, identical payloads, and the reuse of a single Solana wallet address suggest the campaign was orchestrated by a single threat actor, possibly Russian-speaking.