GlassWorm Supply‑Chain Malware Compromises 433 Open‑Source Repos and Extensions, Targeting Developer Credentials and Crypto Wallets
What Happened – A coordinated supply‑chain campaign dubbed GlassWorm injected malicious code into 433 open‑source components across GitHub, npm, and the Visual Studio Code/OpenVSX marketplaces. The malware uses invisible Unicode characters to hide a JavaScript/Node.js stealer that polls a Solana blockchain address for C2 instructions and exfiltrates cryptocurrency wallet data, developer credentials, SSH keys, and access tokens.
Why It Matters for TPRM –
- Open‑source libraries are a common third‑party dependency; compromise can cascade to any downstream organization.
- The attack leverages compromised developer accounts to force‑push malicious commits, bypassing many traditional security controls.
- Persistent C2 via a public blockchain makes detection and remediation more complex.
Who Is Affected – Software development firms, SaaS providers, fintech companies, and any organization that consumes third‑party Python, JavaScript/TypeScript packages or VS Code extensions.
Recommended Actions –
- Conduct an immediate software‑bill‑of‑materials (SBOM) review to identify usage of the listed compromised components.
- Deploy static‑code analysis and SCA tools that can detect invisible Unicode characters and the marker variable
lzcdrtfxyqiplpd. - Rotate all credentials (API keys, SSH keys, tokens) that may have been exposed and enforce MFA on source‑code platform accounts.
- Monitor Solana blockchain memos for suspicious activity linked to the known C2 address.
Technical Notes – Initial compromise occurs via stolen GitHub credentials that enable forced pushes. Malicious payloads are obfuscated with zero‑width Unicode characters and delivered through npm packages and VS Code/OpenVSX extensions. The stealer downloads the Node.js runtime, executes a JavaScript information‑stealer, and contacts the Solana blockchain every five seconds for new instructions. Source: BleepingComputer