CP
cyberpings
Malware & RansomwareHIGH

GlassWorm Malware - Major Attack Hits GitHub and npm Repos

BCBleepingComputer
GlassWormmalwaresupply chain attackGitHubnpm
🎯

Basically, GlassWorm is a malware that sneaks into code repositories to steal sensitive information.

Quick Summary

A new wave of GlassWorm malware has compromised over 400 code repositories on GitHub and npm. Developers are at risk of losing sensitive data. Stay vigilant and check for signs of infection to protect your projects.

What Happened

The GlassWorm malware has resurfaced, launching a significant supply-chain attack that has compromised over 400 code repositories across platforms like GitHub, npm, and VSCode/OpenVSX. This coordinated campaign, identified by researchers from Aikido, Socket, and Step Security, has revealed 433 compromised components this month alone. The attackers utilize a single Solana blockchain address for command-and-control activities, showcasing a sophisticated approach to their malicious operations.

Initially observed in October 2025, GlassWorm employs invisible Unicode characters to conceal its malicious code. This tactic allows it to harvest sensitive information such as cryptocurrency wallet data and developer credentials. The latest wave of attacks has expanded significantly, targeting various platforms and introducing new methods to evade detection.

Who's Being Targeted

The attack primarily affects developers using GitHub, npm, and VSCode/OpenVSX. Specifically, it has compromised:

  • 200 Python repositories on GitHub
  • 151 JavaScript/TypeScript repositories on GitHub
  • 72 VSCode/OpenVSX extensions
  • 10 npm packages

The initial compromise occurs when attackers gain access to GitHub accounts, allowing them to push malicious commits. This enables the publication of harmful packages and extensions that contain obfuscated code, which is designed to evade security measures.

Signs of Infection

Developers should be vigilant for signs of compromise. Key indicators include:

  • The presence of the variable “lzcdrtfxyqiplpd” in the codebase.
  • An unexpected ~/init.json file, which is used for persistence.
  • Unusual Node.js installations in the home directory, such as ~/node-v22*.
  • Suspicious i.js files in recently cloned projects.

Additionally, reviewing Git commit histories for anomalies, such as significant discrepancies between the committer date and the original author date, can help identify compromised repositories.

How to Protect Yourself

To safeguard against the GlassWorm malware, developers should take proactive measures. Here are some recommended actions:

  • Regularly check for the aforementioned markers in your codebase.
  • Inspect systems for unexpected files or installations that may indicate compromise.
  • Be cautious when installing Python packages directly from GitHub or running cloned repositories.

By staying informed and vigilant, developers can better protect themselves against this evolving threat. As the malware continues to adapt, it's crucial to remain aware of the tactics employed by these threat actors.

🔒 Pro insight: The GlassWorm campaign exemplifies the growing sophistication of supply chain attacks, necessitating heightened scrutiny of open-source dependencies.

Original article from

BleepingComputer · Bill Toulas

Read Full Article

Share

Related Pings

CRITICALMalware & Ransomware

Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw

A new ransomware campaign is exploiting a critical flaw in Cisco's software. Organizations using Cisco FMC are at risk of severe breaches. Immediate patching and security assessments are crucial to protect against this threat.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Marquis Reports Data Theft of 672K Individuals

Marquis, a Texas financial services firm, suffered a ransomware attack affecting over 670,000 individuals. The breach compromised sensitive personal data, raising serious security concerns. Affected individuals should monitor their accounts closely and take protective measures.

BleepingComputer·
HIGHMalware & Ransomware

Malware - New Campaigns Turn Devices Into DDoS and Mining Bots

New malware campaigns are hijacking network devices for DDoS attacks and crypto-mining. Routers and IoT devices are at risk, making immediate action essential. Protect your infrastructure to avoid exploitation.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Iranian Hackers Used Stolen Credentials in Stryker Breach

A significant cyberattack on Stryker by Iranian hackers has disrupted operations globally. The attackers exploited stolen credentials, raising serious security concerns. Stryker is working to restore affected systems while authorities investigate the breach.

SecurityWeek·
HIGHMalware & Ransomware

Vidar Stealer 2.0 - Malware Delivered via Fake Game Cheats

A new malware campaign is exploiting fake game cheats on GitHub and Reddit to deliver Vidar 2.0. Gamers are at risk as they unknowingly install this dangerous infostealer. Stay informed and protect your data from these evolving threats.

Infosecurity Magazine·
HIGHMalware & Ransomware

Malware - GlassWorm Campaign Targets Python Repos via GitHub

A new malware campaign, ForceMemo, is targeting Python repositories on GitHub using stolen developer tokens. This poses a significant risk to developers and users alike. Vigilance is crucial to prevent compromise.

SC Media·