Glassworm Malware Hits Developers Through npm, PyPI, OpenVSX, and GitHub

Glassworm has become one of the clearest warnings yet that software developers are now primary targets in supply chain attacks. The malware campaign abused trusted developer tools, including npm, PyPI, OpenVSX, VS Code-compatible extensions, and GitHub repositories, to steal credentials and keep access to infected machines.

The latest update is significant. CrowdStrike says it disrupted Glassworm on May 26, 2026, in a coordinated operation with Google and the Shadowserver Foundation. The team hit four command-and-control channels at the same time, cutting infected machines off from new instructions and payloads.

That does not mean exposed systems are automatically clean. Developers and security teams still need to check workstations, CI runners, repositories, package tokens, GitHub credentials, npm tokens, cloud keys, and browser data that may have been exposed before the takedown.

What Glassworm Targeted

Glassworm did not rely on one platform. It moved across the developer ecosystem by using trojanized extensions, compromised packages, poisoned repositories, and stolen access tokens. That made it dangerous because developers often work with the same credentials attackers need to reach source code, cloud services, build systems, and package registries.

One early public wave involved VS Code-compatible extensions on OpenVSX. Truesec reported in October 2025 that seven OpenVSX extensions had been compromised, with 35,800 total downloads. The malware harvested npm, GitHub, and Git credentials, targeted cryptocurrency wallet extensions, and deployed remote access tools.

Later waves expanded beyond extensions. Glassworm activity reached npm packages, Python projects, GitHub repositories, and AI-related developer tooling. CrowdStrike said the campaign affected Windows, macOS, and Linux systems and included information theft, credential harvesting, and a Node.js remote access tool known as GlasswormRAT.

Attack path	How Glassworm used it	Main risk
OpenVSX and VS Code-compatible extensions	Trojanized or cloned extensions reached developers through trusted IDE workflows	Credential theft and remote access
npm packages	Malicious install scripts ran during normal dependency installation	Token theft and payload delivery
Python repositories and packages	Compromised GitHub accounts were used to push malware into Python projects	Silent code poisoning
GitHub repositories	Stolen tokens allowed attackers to force-push malicious code into default branches	Downstream supply chain compromise

Why the GitHub Attack Was Hard to Spot

The GitHub side of the campaign was especially stealthy. StepSecurity tracked a related campaign called ForceMemo, where attackers compromised GitHub accounts and injected identical malware into hundreds of Python repositories.

The attackers used a force-push technique that preserved the original commit message, author, and author date. That made the malicious change look like it belonged to the existing project history, with no obvious pull request or normal review trail in GitHub’s interface.

The injected code was usually appended to files such as setup.py, main.py, or app.py. Anyone who installed or ran a compromised project could trigger the payload, which then continued the cycle by looking for more credentials and tokens.

npm Packages Also Carried Glassworm Payloads

Glassworm also reached developers through compromised npm packages. Aikido Security reported that two React Native packages were backdoored on March 16, 2026: [email protected] and [email protected].

Both packages added a preinstall hook that ran before a normal npm installation completed. That matters because a developer, CI runner, or build machine could trigger the malware simply by installing the affected package version.

At the time Aikido checked npm download data, the two packages had nearly 30,000 weekly downloads combined. The malicious releases used similar install-time loaders, which fetched and executed more malware after the first stage ran.

How Glassworm Hid Its Command System

Glassworm stood out because it did not depend on one command server. Aikido’s payload analysis found that Glassworm used Solana transaction memos as a command channel. Instead of hardcoding a normal URL, the malware could read a payload location from blockchain data.

CrowdStrike later described a broader four-channel setup that included Solana blockchain memos, BitTorrent DHT, Google Calendar event titles, and direct VPS server connections. This structure made the botnet more resilient because removing one channel would not stop the others.

That is why the takedown had to happen at the same time across multiple points. CrowdStrike’s takedown report said infected machines can no longer receive new instructions or payloads after the coordinated disruption.

What Glassworm Tried to Steal

The campaign focused on assets that developers routinely store locally. That includes GitHub tokens, npm tokens, Git credentials, cloud secrets, browser session data, cryptocurrency wallet files, and environment variables.

The GlassWorm RAT analysis also found a malicious Chrome extension posing as Google Docs Offline. It could log keystrokes, dump cookies and session tokens, capture screenshots, and receive commands from attacker-controlled infrastructure.

This turns one infected workstation into a larger risk for the company behind it. A single developer machine may have access to production repositories, cloud dashboards, internal packages, signing keys, API credentials, and CI/CD systems.

• GitHub tokens can expose private repositories.
• npm tokens can let attackers publish malicious package updates.
• Cloud keys can expose infrastructure and customer data.
• Browser cookies can bypass some login checks.
• CI secrets can let attackers tamper with build pipelines.

Why Developers and Companies Should Still Check Systems

The May 26 disruption reduced Glassworm’s ability to send fresh instructions, but it does not undo earlier credential theft. Any machine that installed a malicious extension, package, or repository before the takedown may still need full incident response.

The ForceMemo campaign also shows why source history alone may not be enough. Security teams should compare suspicious branches with known clean commits and review unexpected changes in setup scripts, install hooks, and files touched by recent force-push activity.

The earlier initial OpenVSX findings also showed how trusted developer tools can become delivery points for malware. Developers should remove unneeded extensions, review publisher names carefully, and avoid relying only on download counts or familiar-looking listings.

Recommended Response Steps

Organizations should treat possible Glassworm exposure as a credential incident, not only as a malware cleanup task. Removing a malicious package or extension helps, but it does not protect tokens that attackers may have already copied.

Security teams should prioritize token rotation, repository audits, endpoint checks, and build pipeline reviews. They should also examine outbound traffic to Solana RPC endpoints, unknown VPS servers, unusual Google Calendar requests, and BitTorrent DHT activity from developer workstations or CI systems.

1. Audit installed VS Code, Cursor, Windsurf, VSCodium, and OpenVSX extensions.
2. Remove unknown, cloned, outdated, or low-trust extensions.
3. Check npm and Python dependencies for suspicious install scripts.
4. Rotate GitHub, npm, PyPI, cloud, SSH, and CI/CD secrets from any exposed machine.
5. Review GitHub repositories for force-push activity and unexpected changes to setup.py, main.py, app.py, package.json, and install scripts.
6. Search for invisible Unicode characters and known Glassworm markers in source code.
7. Rebuild affected developer machines if credential theft or remote access is confirmed.

The Bigger Supply Chain Lesson

Glassworm shows why developer workstations now deserve the same attention as production servers. Attackers do not need to breach a company directly if they can steal the credentials of someone who builds, signs, tests, or publishes its software.

The React Native package report also shows how routine installs can become execution points. A dependency update, extension update, or GitHub clone can now carry the same risk as opening a suspicious attachment.

The immediate botnet disruption gives defenders a chance to clean up. The long-term lesson is harder: package registries, IDE marketplaces, source repositories, and CI/CD systems are now part of the security perimeter, and companies need to defend them as one connected environment.

FAQ