Glassworm Malware Abuses npm, PyPI, OpenVS Developer-Targeting OpenVSX

A sophisticated malware campaign, dubbed Glassworm, is actively compromising the critical tools and platforms software developers rely on daily. This insidious threat targets popular package registries like npm and PyPI, alongside the developer-focused OpenVSX marketplace. The campaign cleverly exploits inherent trust within By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, the attackers have turned routine development workflows into entry points for data theft, credential harvesting, and persistent system access.

The campaign first surfaced in October 2025, when malicious Visual Studio Code and OpenVSX extensions appeared on developer marketplaces.

In the first wave alone, roughly 35,800 developers were reportedly infected. Since then, Glassworm has grown steadily, expanding into Python repositories on GitHub, npm packages in the React Native ecosystem, and AI-related development tooling.

Analysts at CrowdStrike and other security firms have flagged the growing scale and sophistication of this campaign. The malware operates in multiple stages, moving from a loader to credential theft and then to a persistent backdoor that lets the attacker maintain access long after the initial infection.

What makes Glassworm especially alarming is who it targets. Developers often keep cloud credentials, SSH keys, API tokens, and cryptocurrency wallets stored locally on their machines.

A single compromised workstation can expose an entire organization’s infrastructure and trigger downstream attacks across dozens of connected repositories.

The attack chain begins quietly. A developer installs what looks like a trusted extension or package, and the malware activates in the background. It harvests secrets and passes stolen credentials to attacker-controlled servers, often before anyone realizes something is wrong.

According to CrowdStrike’s report shared with Cyber Security News (CSN), Sonatype Security Research identified two hijacked React Native npm packages that together received over 30,000 downloads per week, both modified to deliver multi-stage malware tied to this same campaign.

Developer-Targeting Glassworm Malware

Glassworm delivers its payload through several channels. Malicious VS Code and Cursor extensions serve as the primary entry point, with some legitimate publisher accounts being compromised to push malicious updates.

This approach let attackers reach thousands of users without raising immediate suspicion from the platforms.

Once on a developer’s machine, Glassworm steals GitHub tokens from multiple sources, including VS Code storage, the git credentials file, and local environment variables.

The attacker then uses those tokens to force-push malware into every repository linked to the victim’s account.

The injection preserves the original commit author and date, making it look like nothing in the project history has changed.

At the same time, two widely used npm packages in the React Native ecosystem, which together saw over 30,000 weekly downloads, were found hijacked and modified to run a malicious install script.

That script would check whether the system was set to a Russian locale and skip execution if so, a tactic commonly used to avoid attracting attention from law enforcement in certain regions.

The malware uses the Solana blockchain as its command-and-control channel. Instead of connecting to a server that could be taken offline, it reads instructions from transaction memos attached to a specific Solana wallet.

The attacker can update payload locations at any time by posting a new transaction, and those instructions cannot be deleted or censored once recorded on-chain.

Stealth Techniques and What Gets Stolen

Glassworm goes to real lengths to stay hidden. One method involves invisible Unicode characters embedded in source code.

These characters render as blank whitespace in editors and GitHub’s code review interface, making the hidden payload effectively invisible to anyone reading the code normally.

The multi-stage payload further complicates detection. The first stage is a loader, the second steals credentials and cryptocurrency wallet data, and the third deploys a persistent backdoor using WebSockets.

A malicious Chrome extension is also installed to capture browser session data. The final payload is encrypted with AES and the decryption key is only sent via server response headers, making static analysis close to impossible.

Security teams should audit all installed VS Code extensions and remove anything unrecognized. Developers are advised to rotate GitHub tokens and cloud credentials on any system that may have been exposed. Enabling multi-factor authentication across all developer platforms is essential.

Organizations should also watch for outbound connections to Solana RPC endpoints or unknown IP addresses, as this kind of traffic has no place in a normal development pipeline.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.