CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GlassWorm malware targets OpenVSX, VS Code registries

First reported
Last updated
2 unique sources, 13 articles

Summary

Hide ▲

The GlassWorm malware campaign has resurfaced with a significant escalation, adding at least 72 new malicious Open VSX extensions since January 31, 2026. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of GlassWorm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

Timeline

  1. 16.03.2026 21:37 1 articles · 23h ago

    GlassWorm malware campaign targets Python repositories using stolen GitHub tokens

    The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  2. 08.11.2025 18:17 7 articles · 4mo ago

    GlassWorm operators identified as Russian-speaking using RedExt C2 framework

    GlassWorm operators are Russian-speaking and use the RedExt open-source C2 browser extension framework. The malware has impacted systems globally, including the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security accessed the attackers' server and obtained key data on victims, including user IDs for multiple cryptocurrency exchanges and messaging platforms. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  3. 02.11.2025 17:09 5 articles · 4mo ago

    GlassWorm threat actors pivot to GitHub using Unicode steganography

    The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,400 downloads), adhamu.history-in-sublime-merge (4,000 downloads), and yasuyuky.transient-emacs (2,400 downloads). The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  4. 31.10.2025 10:02 6 articles · 4mo ago

    Eclipse Foundation revokes leaked tokens and introduces security measures

    Open VSX has implemented additional security measures, including shortening token lifetimes, faster revocation workflows, automated security scans, and threat intelligence sharing. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab
  5. 20.10.2025 19:13 13 articles · 4mo ago

    GlassWorm malware campaign targets OpenVSX and VS Code registries

    The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories, enabling the supply chain attack. The leak was discovered by Wiz researchers two weeks ago, exposing over 550 secrets across Microsoft VSCode and Open VSX marketplaces. Some leaked tokens could give access to projects with 150,000 downloads, allowing threat actors to upload malicious versions of extensions. The Open VSX team and the Eclipse Foundation clarified that GlassWorm was not self-replicating but targeted developer credentials. The reported download count of 35,800 includes inflated downloads generated by bots and visibility-boosting tactics. The threat actors behind GlassWorm have moved to GitHub, using the same Unicode steganography trick to hide their malicious payload in multiple repositories, primarily focused on JavaScript projects. GlassWorm has returned with three new VSCode extensions on OpenVSX, downloaded over 10,000 times. The new extensions are ai-driven-dev.ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057 downloads), and yasuyuky.transient-emacs (2,431 downloads). The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The Glassworm campaign is now in its third wave, with 24 new packages added on OpenVSX and Microsoft Visual Studio Marketplace. The malware now uses Rust-based implants and continues to employ invisible Unicode characters to hide malicious code. The packages target popular developer tools and frameworks, and the campaign uses artificially inflated download counts to manipulate search results. The third wave includes specific packages on both marketplaces, indicating a broad targeting scope. The new iteration of GlassWorm uses Rust-based implants packaged inside the extensions, targeting Windows and macOS systems. The implants fetch C2 server details from a Solana blockchain wallet address and use Google Calendar as a backup for C2 address retrieval. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space. The latest development involves the compromise of a legitimate developer's resources to push malicious updates to downstream users, with the malicious extensions having previously been presented as legitimate developer utilities and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases. A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems. The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times. GlassWorm attacks first appeared in late October, hiding the malicious code using "invisible" Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying. Over time and across multiple attack waves, GlassWorm impacted both Microsoft's official Visual Studio Code marketplace and its open-source alternative for unsupported IDEs, OpenVSX. In a previous campaign, GlassWorm showed signs of evolution, targeting macOS systems, and its developers were working to add a replacement mechanism for the Trezor and Ledger apps. A new report from Socket's security team describes a new campaign that relied on trojanizing the following extensions: oorzc.ssh-tools v0.5.1, oorzc.i18n-tools-plus v1.6.8, oorzc.mind-map v1.0.61, oorzc.scss-to-css-compile v1.3.4. The malicious updates were pushed on January 30, and Socket reports that the extensions had been innocuous for two years. This suggests that the oorzc account was most likely compromised by GlassWorm operators. According to the researchers, the campaign targets macOS systems exclusively, pulling instructions from Solana transaction memos. Notably, Russian-locale systems are excluded, which may hint at the origin of the attacker. GlassWorm loads a macOS information stealer that establishes persistence on infected systems via a LaunchAgent, enabling execution at login. It harvests browser data across Firefox and Chromium, wallet extensions and wallet apps, macOS keychain data, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem, and exfiltrates everything to the attacker's infrastructure at 45.32.150[.]251. Socket reported the packages to the Eclipse Foundation, the operator of the Open VSX platform, and the security team confirmed unauthorized publishing access, revoked tokens, and removed the malicious releases. The only exception is oorzc.ssh-tools, which was removed completely from Open VSX due to discovering multiple malicious releases. Currently, versions of the affected extensions on the market are clean, but developers who downloaded the malicious releases should perform a full system clean-up and rotate all their secrets and passwords. The GlassWorm campaign now abuses extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates. The new extensions mimic widely used developer utilities and feature heavier obfuscation and Solana wallet rotation to evade detection. The campaign also affects 151 GitHub repositories and two npm packages using the same Unicode technique. Additionally, 88 new malicious npm packages were uploaded in three waves between November 2025 and February 2026, using Remote Dynamic Dependencies (RDD) to modify malicious code on the fly. The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. The attack targets Python projects including Django apps, ML research code, Streamlit dashboards, and PyPI packages by appending obfuscated code to files like setup.py, main.py, and app.py. The earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebase the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-push the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian. If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet ("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC") previously linked to GlassWorm to extract the payload URL. The earliest transaction on the C2 address dates to November 27, 2025 -- over three months before the first GitHub repo injections on March 8, 2026. The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day. The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. The decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover. The attacker injects malware by force-pushing to the default branch of compromised repositories. This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub's UI. No other documented supply chain campaign uses this injection method.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab

PromptSpy Android Malware Uses Gemini AI for Persistence

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

SSHStalker Linux Botnet Uses IRC for C2 Communications

A new Linux botnet named SSHStalker has been documented, utilizing the outdated IRC protocol for command-and-control (C2) operations. The botnet employs classic IRC mechanics, including multiple C-based bots and multi-server/channel redundancy, prioritizing resilience and scale over stealth. It achieves initial access through automated SSH scanning and brute-forcing, using a Go binary disguised as nmap. Once infected, hosts are used to scan for additional SSH targets, and the botnet includes exploits for 16 CVEs targeting older Linux kernel versions. The botnet also performs AWS key harvesting, website scanning, and includes cryptomining kits and DDoS capabilities. Notably, SSHStalker maintains persistent access without immediate follow-on post-exploitation behavior, suggesting it may be used for staging, testing, or strategic access retention. The threat actor is suspected to be of Romanian origin, with operational overlaps with the hacking group Outlaw (aka Dota).

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required. China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security risks stemming from the use of OpenClaw, an open-source and self-hosted autonomous AI agent. OpenClaw's inherently weak default security configurations and privileged access to the system could be exploited by bad actors to seize control of the endpoint. Prompt injections in OpenClaw can cause the agent to leak sensitive information if tricked into accessing and consuming malicious content. Indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA) attacks can manipulate benign AI features like web page summarization or content analysis to run manipulated instructions. Researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw. OpenClaw may inadvertently and irrevocably delete critical information due to its misinterpretation of user instructions. Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware. Attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise the system and leak sensitive data. Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers. Threat actors have distributed malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks.

Open in new tab