Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm supply-chain malware activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware activity is now under a coordinated C2 disruption, reducing its ability to deliver new instructions and payloads to infected developer systems. The operation spread through trojanized VS Code extensions and compromised npm and Python packages, exposing software developers and their repositories to supply-chain compromise. It has been built for credential harvesting, wallet theft, and host profiling, and it has already been used to poison more than 300 GitHub repositories. The activity also deploys GlassWormRAT and covert infrastructure for proxying and remote execution.

Related Happenings

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

CI/CD pull-request privilege-escalation flaw (Cordyceps)

Vulnerability
H score32 First: 24.06.2026 15:48 Last: 24.06.2026 15:48 Sources 1

About this happening: **Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...

Timeline

  1. 27.05.2026 14:48 2 articles · 1mo ago

    CrowdStrike, Google, and Shadowserver disrupt GlassWorm C2 channels

    Campaign Scope Update

    CrowdStrike, Google, and the Shadowserver Foundation said they disrupted all command-and-control channels associated with GlassWorm, reducing the malware's ability to deliver new instructions and payloads to infected developer systems. CrowdStrike also said GlassWorm operators have targeted software developers since at least early 2025 through trojanized VS Code extensions and compromised npm and Python packages.

    Show sources