Bright Nexus

Published on May 27, 2026

GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

Severity
Medium

Detail

Cybersecurity researchers have disrupted a large-scale software supply chain campaign known as GlassWorm, which targeted software developers by infiltrating trusted development ecosystems such as code editors, package registries, and open-source repositories.

Active since at least early 2025, the campaign focused on compromising developers’ machines to gain access to high-value environments including source code repositories, cloud infrastructure, CI/CD pipelines, and package distribution systems. Security teams from CrowdStrike, Google, and the Shadowserver Foundation coordinated a takedown that simultaneously disabled all known command-and-control (C2) infrastructure used by the attackers.

The GlassWorm operation was designed for persistence and stealth, enabling credential theft, crypto wallet exfiltration, browser data harvesting, and long-term remote access across infected systems.

How?

The attack primarily began through malicious software supply chain vectors, including:

  • Trojanized VS Code extensions published on marketplaces such as Microsoft VS Code Marketplace and Open VSX
  • Malicious or compromised npm and Python packages embedded in legitimate-looking developer tools

Once installed, the malware deployed a JavaScript-based remote access tool (RAT) capable of executing commands, stealing data, and installing additional payloads such as browser extensions for surveillance.

Infected systems were systematically searched for sensitive developer assets, including GitHub tokens, NPM credentials, OpenVSX keys, and cryptocurrency wallet data. Stolen credentials were then used to compromise additional repositories, with reports indicating over 300 GitHub repositories were affected.

The malware also transformed compromised hosts into attacker-controlled infrastructure, enabling SOCKS proxying, hidden remote desktop sessions (HVNC), and remote execution via Node.js processes and WebRTC-based communication.

A key feature of GlassWorm was its highly resilient C2 architecture. Instead of relying on a single control channel, operators used multiple redundant and unconventional methods, including:

  • Storing C2 data in Solana blockchain transaction metadata
  • Retrieving configuration via BitTorrent DHT peer-to-peer networks
  • Using Google Calendar events as hidden data storage (“dead drops”)
  • Traditional VPS-hosted command servers as fallback infrastructure

This multi-layered approach allowed the campaign to survive traditional takedown attempts for an extended period before coordinated disruption neutralized all channels simultaneously.

Conclusion

The GlassWorm campaign demonstrates how software supply chains have become one of the most critical attack surfaces in modern cybersecurity. By targeting developer environments directly, attackers were able to scale compromise across downstream organizations and infrastructure. The use of trusted platforms, decentralized networks, and legitimate cloud services for command-and-control highlights a growing trend toward resilient and hard-to-detect malware ecosystems.

This incident reinforces the need for stricter verification of developer tools, continuous monitoring of CI/CD and repository access, and improved detection of suspicious extension and package behavior across development environments.

Source

https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html