The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions.

Researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm.

Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source repositories is provided by the use of the same Solana blockchain address used for command-and-control (C2) activity, identical or functionally similar payloads, and shared infrastructure.