Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GlassWorm supply-chain malware activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware activity is now under a coordinated C2 disruption, reducing its ability to deliver new instructions and payloads to infected developer systems. The operation spread through trojanized VS Code extensions and compromised npm and Python packages, exposing software developers and their repositories to supply-chain compromise. It has been built for credential harvesting, wallet theft, and host profiling, and it has already been used to poison more than 300 GitHub repositories. The activity also deploys GlassWormRAT and covert infrastructure for proxying and remote execution.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

Glassworm botnet command-and-control disruption

Malware Activity
First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Timeline

  1. 27.05.2026 14:48 2 articles · 11h ago

    CrowdStrike, Google, and Shadowserver disrupt GlassWorm C2 channels

    Campaign Scope Update

    CrowdStrike, Google, and the Shadowserver Foundation said they disrupted all command-and-control channels associated with GlassWorm, reducing the malware's ability to deliver new instructions and payloads to infected developer systems. CrowdStrike also said GlassWorm operators have targeted software developers since at least early 2025 through trojanized VS Code extensions and compromised npm and Python packages.

    Show sources
    Open in new tab