GlassWorm Malware

A new wave of the GlassWorm malware campaign is actively targeting software supply chains by exploiting stolen GitHub tokens to inject malicious code into hundreds of repositories. This operation primarily focuses on Python-based projects, including Django applications, machine learning research code, Streamlit dashboards, and PyPI packages.

The attack vector is deceptively simple yet highly effective: obfuscated malware is appended to commonly executed files such as setup.py, main.py, and app.py. Any developer who installs dependencies via pip install or executes cloned code from a compromised repository unknowingly activates the malicious payload.

Silent Repository Takeovers: The ForceMemo Technique

This evolution of the campaign, now referred to as ForceMemo, introduces a stealthy method of compromising repositories. Threat actors gain access to developer accounts and manipulate repositories without leaving conventional traces.

By rebasing legitimate commits with malicious code and force-pushing them to the default branch, attackers preserve original commit metadata, including message, author, and timestamp, effectively masking the intrusion. This approach eliminates visible indicators such as pull requests or suspicious commit histories, making detection significantly more difficult.

Attack Execution Chain: From Credential Theft to Payload Delivery

The ForceMemo campaign follows a structured and multi-stage intrusion process:

• Developer environments are initially compromised through malicious Visual Studio Code and Cursor extensions carrying GlassWorm components designed to harvest sensitive credentials, including GitHub tokens.
• Stolen credentials are then used to inject obfuscated Base64-encoded payloads into Python files across all repositories associated with the compromised account.
• The embedded malware performs environment checks, notably avoiding execution on systems configured with a Russian locale. It then queries a Solana blockchain wallet to dynamically retrieve the payload delivery URL.
• Additional payloads are downloaded, including encrypted JavaScript designed for cryptocurrency theft and data exfiltration.

Blockchain-Based Command and Control: A Resilient Infrastructure

A defining characteristic of this campaign is its reliance on the Solana blockchain as a Command-and-Control (C2) mechanism. Instead of traditional servers, attackers store payload URLs within transaction memo fields tied to specific wallet addresses.

Analysis reveals that activity linked to the primary wallet began as early as November 27, 2025, months before repository compromises were observed. The wallet has processed dozens of transactions, with payload locations updated frequently, sometimes multiple times per day. This decentralized approach enhances resilience and complicates takedown efforts.

Expanding the Attack Surface: npm and Cross-Ecosystem Infections

The campaign has extended beyond Python ecosystems into JavaScript supply chains. Two React Native npm packages, react-native-international-phone-number (version 0.11.8) and react-native-country-select (version 0.3.91), were temporarily compromised and distributed with embedded malware.

These malicious versions introduced preinstall hooks executing obfuscated JavaScript that initiates a similar infection chain. The malware again avoids Russian systems, retrieves payload instructions via a Solana wallet, and deploys platform-specific threats.

Execution occurs entirely in memory using runtime techniques such as eval() or Node.js sandboxing, leaving minimal forensic artifacts. Additionally, a persistence mechanism prevents reinfection within a 48-hour window by storing a timestamp locally.

Advanced Evasion and Distribution Tactics

Recent iterations of GlassWorm demonstrate increased sophistication in delivery and concealment. By leveraging extensionPack and extensionDependencies mechanisms, attackers distribute malicious payloads transitively through trusted extension ecosystems.

Earlier campaigns linked to the same threat actor compromised over 151 GitHub repositories using invisible Unicode characters to hide malicious code. Despite varied obfuscation and delivery strategies, all campaigns consistently rely on the same Solana-based infrastructure, confirming a unified operational framework.

Malicious IDE Extensions: Targeting Developer Environments

The campaign has also infiltrated development tools through a rogue extension identified as reditorsupporter.r-vscode-2.8.8-universal, targeting the Windsurf IDE. Disguised as an R language support plugin, it deploys a Node.js-based information stealer.

Once installed, the extension retrieves encrypted payloads from blockchain transactions, executes them in memory, and deploys compiled components to extract sensitive data from Chromium-based browsers. Persistence is achieved through scheduled tasks and Windows Registry modifications, ensuring execution upon system startup.

The malware specifically targets developer environments while excluding Russian systems, mirroring behavior observed across other GlassWorm variants.

Indicators of Scale and Impact

Security analysis indicates that the campaign has compromised a substantial portion of the open-source ecosystem, affecting more than 433 projects across multiple platforms. These include GitHub repositories (Python and JavaScript), VS Code extensions, and npm libraries.

All infection paths ultimately converge on the deployment of a JavaScript-based information stealer, highlighting a consistent end goal of credential harvesting and data exfiltration.

• Over 433 confirmed compromised projects and packages
• Multiple delivery vectors including GitHub, npm, and IDE extensions
• Consistent use of Solana blockchain infrastructure for payload delivery
• Repeated exclusion of Russian systems across all variants

Strategic Assessment: A New Era of Supply Chain Attacks

The ForceMemo campaign represents a significant escalation in software supply chain threats. Its combination of stealthy Git history manipulation, blockchain-based C2 infrastructure, and cross-platform infection vectors demonstrates a high level of operational maturity.

The reuse of infrastructure alongside evolving delivery mechanisms indicates an adaptive adversary capable of scaling attacks while maintaining persistence and evasion. This shift from isolated compromises to coordinated, multi-ecosystem intrusions underscores the growing risk facing modern development environments and open-source communities.