A large-scale GlassWorm malware campaign targeting developer platforms appears to be significantly more extensive and sophisticated than previously thought.
Various media outlets, including opensourcemalware.com, report that the so-called GlassWorm operation has resurfaced and now infects hundreds of software components across popular ecosystems such as GitHub, npm, and development environment extension marketplaces.
According to findings from multiple security firms, more than 400 repositories, packages, and extensions have been compromised in a short period. This involves a broad range of programming languages and platforms, including Python and JavaScript projects on GitHub and extensions for Visual Studio Code and OpenVSX. This gives the campaign a scale that extends beyond previous observations.
The attack employs a supply-chain approach, in which malicious code is integrated into seemingly legitimate software components. Developers who install these dependencies unwittingly introduce the malware. Initial access often appears to occur via compromised GitHub accounts, after which attackers make malicious changes to existing repositories. From there, the code spreads further via package managers and extension platforms.
Technically, the command-and-control structure is particularly notable. The malware uses the Solana blockchain to retrieve instructions. At regular intervals, it checks for new commands, which are then found to be hidden in transaction memos. This method makes it harder to block the infrastructure behind the attack, as traditional network controls are less effective.
The payload itself is designed to collect sensitive information from development environments. This includes data from crypto wallets, login credentials, tokens, and SSH keys. In some cases, additional software is installed, including a Node.js environment used to execute further malicious scripts. According to reports by BleepingComputer, this infrastructure is actively modified via blockchain transactions, indicating a dynamic and ongoing operation.
Notably, the attack is not limited to a single platform. The same techniques and infrastructure are being deployed simultaneously across multiple ecosystems. This points to a central actor using various distribution channels to maximize reach. Analysis of the code suggests that those involved may be Russian-speaking, though definitive attribution remains elusive for now. Furthermore, the malware reportedly avoids systems with a Russian language setting, a behavior commonly observed among certain threat groups.
Malicious code remains hidden
In addition to technical complexity, the obfuscation techniques used also play a significant role. Malicious code is concealed, among other things, using invisible Unicode characters, making detection difficult for both developers and security tools. This technique has previously been linked to GlassWorm, but appears to be deployed on a larger scale in the latest campaign.
For developers and organizations, the main challenge lies in identifying infected components. Researchers point to specific indicators that may signal an infection, such as unusual files in the user environment or anomalies in Git history. They also recommend closely scrutinizing external dependencies, especially when these are used directly from source repositories.
The GlassWorm campaign underscores once again that the software supply chain is an attractive target for attackers. While traditional security often focuses on endpoints and networks, attention is increasingly shifting to the building blocks of software itself. This heightens the need for stricter control over external code and a more critical approach to dependencies within development projects.
