GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
Summary
Hide ▲
Show ▼
GlassWorm returned in a new coordinated supply-chain attack that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, creating a broad software-distribution risk. The malicious packages and extensions delivered a JavaScript infostealer that steals wallet data, credentials, access tokens, SSH keys, and developer environment data. Attackers also used Solana blockchain instructions and obfuscated code to steer payload delivery and evade detection. The wave matters because it reaches developer tooling and open-source repositories used to seed downstream compromise.
Related Happenings
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Timeline
-
28.04.2026 00:41 1 articles · 2mo ago
GlassWorm OpenVSX wave uses 73 sleeper extensions
Campaign Scope UpdateGlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Show sources
- GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions — www.bleepingcomputer.com — 28.04.2026 00:41
-
17.03.2026 23:42 2 articles · 3mo ago
GlassWorm renewed supply-chain wave targets GitHub, npm, and VSCode/OpenVSX
Initial DisclosureOn 2026-03-17, GlassWorm was linked to a renewed supply-chain wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, including force-pushed malicious commits, obfuscated packages and extensions using invisible Unicode characters, and Solana blockchain instructions used to steer payload delivery. The malicious code delivered a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Show sources
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX — www.bleepingcomputer.com — 17.03.2026 23:42
- GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX — www.bleepingcomputer.com — 17.03.2026 23:42