The GlassWorm supply-chain campaign has resurfaced, compromising 433 open-source components across GitHub, npm, and VSCode/OpenVSX—including hundreds of Python and JS/TS repositories, extensions, and npm packages. Attackers compromise GitHub accounts to push obfuscated code (using invisible Unicode), use the Solana blockchain as a C2 channel to deliver a Node.js-based JavaScript information stealer that harvests crypto wallets, credentials, SSH keys and developer data, and researchers recommend checking for the marker “lzcdrtfxyqiplpd”, ~/init.json, unexpected ~/node-v22* installations, suspicious i.js files, and anomalous Git commit dates. #GlassWorm #Solana
Keypoints
- GlassWorm compromised 433 components across GitHub, npm, and VSCode/OpenVSX, including 200 Python and 151 JS/TS repositories, 72 extensions, and 10 npm packages.
- Initial compromise occurs via hijacked GitHub accounts that force-push malicious commits into repositories.
- Attackers use invisible Unicode obfuscation and publish malicious packages/extensions to evade detection.
- The campaign uses the Solana blockchain as a C2 channel to update payload URLs and deliver a Node.js-based JavaScript information stealer.
- Researchers advise scanning for the marker “lzcdrtfxyqiplpd”, ~/init.json, unexpected ~/node-v22* installs, suspicious i.js files, and anomalous Git commit dates.