Hundreds of GitHub and npm repositories, and dozens of extensions for VS Code and other code editors, have been compromised in a new massive wave of the GlassWorm supply chain attack. Thousands of developers are at risk, with the latest victims being popular React Native packages with over 130,000 monthly downloads.
Security researchers are warning about a massive supply chain attack spreading on popular code platforms and marketplaces. Cybercriminals operating under the GlassWorm banner, likely originating from Russia, have already compromised hundreds of repositories and coding tool extensions.
A simple update, initiated by developers or their AI assistants, can silently pull in the malware that targets crypto wallets and steals credentials. The attackers later use victims’ own accounts to inject malware into new repositories. This exposes everyone who depends on the compromised code.
Security researchers warn that two popular React Native npm packages, maintained by “AstrOOnauta”, were some of the latest repositories to fall victim:
- [email protected], which has 42,589 monthly downloads
- [email protected], which has 92,298 monthly downloads
“Both releases added an identical install-time loader that fetches and executes a multi-stage Windows credential and crypto stealer, triggered by nothing more than a routine npm install,” the report by Aikido reads.
StepSecurity noted that even after the compromise was detected, the attackers maintained access and published updated malicious versions.
“We are not sure what is happening; it must be some kind of NPM token leak. Anyway, I removed all the NPM tokens, so this shouldn't happen again,” the maintainer AstrOOnauta confirmed.
Hundreds more compromised repositories
Over the past week, security researchers have listed many more similar cases.
Aikido identified “at least 151 matching repositories” on GitHub containing the malware decoder pattern. The most notable one was pedronauck/reworm with 1,460 stars. Five other repos had several dozen stars each.
“The campaign has also expanded beyond GitHub. We are now seeing the same technique deployed in npm and the VS Code marketplace, suggesting GlassWorm is operating a coordinated, multi-ecosystem push,” Aikido researchers said.
Open VSX marketplace was found to contain at least 72 malicious extensions for code editing software, impersonating popular coding tools and developer utilities, such as ESLint, Prettier, Flutter, and even AI coding tools like Claude Code and Codex.
The Socket Research Team published the list and warned that several of the extensions displayed download counts running into the thousands.
StepSecurity warned about hundreds more compromised repositories on GitHub.
“Because the attacker uses the compromised account's own credentials, the push appears to come from the repo owner.”
BleepingComputer counted at least 433 repositories across multiple platforms.
The researchers suspect a Russian threat actor to be behind the campaign.
“In the observed cases, the malware first checks if the system is Russian – examining locale settings, timezone, and UTC offset. If the system is Russian, execution is skipped entirely,” StepSecurity writes.
The hackers hide malicious code using invisible Unicode characters – it looks like an empty string in the source file.
The attackers inject malware by force-pushing – rewriting git history, preserving the original commit message, and timestamp. The repository appears completely untouched. For command and control, GlassWorm relies on the Solana blockchain, making it extremely resilient to removal.
Step Security found a funding wallet linked to the attackers holding over $18,000 worth of cryptocurrency, suggesting a well-resourced operation.
While extension marketplaces have removed the majority of malicious extensions, many of the compromised repositories remain on GitHub. Security researchers warn that attackers are capable of compromising new repositories within minutes.
Fifth wave: GlassWorm is evolving
The current attack is the GlassWorm campaign by the same threat actors targeting developers on popular extension marketplaces and collaboration platforms.
Initially, the malware only targeted Windows systems. However, later it also switched to compromising developers on MacOS.
The malware is capable of targeting 50 browser extensions and desktop wallets, including MetaMask, Phantom, Coinbase Wallet, Exodus, and many others. For replication, it steals GitHub tokens, git credentials, NPM tokens, and the entire SSH directory.
The Mac version can exfiltrate macOS Keychain passwords, raw database files, VPN configurations, browser cookies, and local storage from various browsers.
In the fifth and largest wave, GlassWorm also focuses on developers building with AI tools. It is infiltrating MCP servers – small add-ons that give the AI assistant, like Claude or Cursor, additional capabilities, such as searching the web, reading files, and reading emails.
GlassWorm was used to publish a fake version of a popular legitimate MCP server to npm under a similar name. If a developer installs it, malware gains full access to the system.
“Five waves. Five months. One relentless threat actor,” Koi Security said in a new report.
“What makes this scary isn’t just the scale – it’s the cover story. Each malicious commit comes wrapped in what looks like a normal contribution: a documentation update, a version bump, a small bug fix. The changes are project-specific. They match the coding style of each repository. At 150+ repos, there's no way a human is handcrafting each one. GlassWorm is almost certainly using LLMs to generate convincing camouflage for each injection.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked