Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 2 articles

Summary

Hide ▲

GlassWorm returned in a new coordinated supply-chain attack that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, creating a broad software-distribution risk. The malicious packages and extensions delivered a JavaScript infostealer that steals wallet data, credentials, access tokens, SSH keys, and developer environment data. Attackers also used Solana blockchain instructions and obfuscated code to steer payload delivery and evade detection. The wave matters because it reaches developer tooling and open-source repositories used to seed downstream compromise.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Timeline

  1. 28.04.2026 00:41 1 articles · 29d ago

    GlassWorm OpenVSX wave uses 73 sleeper extensions

    Campaign Scope Update

    GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

    Show sources
    Open in new tab
  2. 17.03.2026 23:42 2 articles · 2mo ago

    GlassWorm renewed supply-chain wave targets GitHub, npm, and VSCode/OpenVSX

    Initial Disclosure

    On 2026-03-17, GlassWorm was linked to a renewed supply-chain wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX, including force-pushed malicious commits, obfuscated packages and extensions using invisible Unicode characters, and Solana blockchain instructions used to steer payload delivery. The malicious code delivered a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

    Show sources
    Open in new tab