Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First reported
Last updated
Happening score
H score 35
1 unique sources, 2 articles

Summary

Hide ▲

GlassWorm returned in a new coordinated supply-chain attack that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, creating a broad software-distribution risk. The malicious packages and extensions delivered a JavaScript infostealer that steals wallet data, credentials, access tokens, SSH keys, and developer environment data. Attackers also used Solana blockchain instructions and obfuscated code to steer payload delivery and evade detection. The wave matters because it reaches developer tooling and open-source repositories used to seed downstream compromise.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Timeline

  1. 28.04.2026 00:41 1 articles · 2mo ago

    GlassWorm OpenVSX wave uses 73 sleeper extensions

    Campaign Scope Update

    GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

    Show sources
  2. 17.03.2026 23:42 2 articles · 3mo ago

    GlassWorm renewed supply-chain wave targets GitHub, npm, and VSCode/OpenVSX

    Initial Disclosure

    On 2026-03-17, GlassWorm was linked to a renewed supply-chain wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, including force-pushed malicious commits, obfuscated packages and extensions using invisible Unicode characters, and Solana blockchain instructions used to steer payload delivery. The malicious code delivered a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

    Show sources