GlassWorm supply-chain malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The GlassWorm malware activity is now under a coordinated C2 disruption, reducing its ability to deliver new instructions and payloads to infected developer systems. The operation spread through trojanized VS Code extensions and compromised npm and Python packages, exposing software developers and their repositories to supply-chain compromise. It has been built for credential harvesting, wallet theft, and host profiling, and it has already been used to poison more than 300 GitHub repositories. The activity also deploys GlassWormRAT and covert infrastructure for proxying and remote execution.
Related Happenings
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
Vulnerability
H score32
First: 24.06.2026 15:48
Last: 24.06.2026 15:48
Sources 1
About this happening:
**Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
VulnerabilityAbout this happening: **Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
Timeline
-
27.05.2026 14:48 2 articles · 1mo ago
CrowdStrike, Google, and Shadowserver disrupt GlassWorm C2 channels
Campaign Scope UpdateCrowdStrike, Google, and the Shadowserver Foundation said they disrupted all command-and-control channels associated with GlassWorm, reducing the malware's ability to deliver new instructions and payloads to infected developer systems. CrowdStrike also said GlassWorm operators have targeted software developers since at least early 2025 through trojanized VS Code extensions and compromised npm and Python packages.
Show sources
- GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure — thehackernews.com — 27.05.2026 14:48
- GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure — thehackernews.com — 27.05.2026 14:48