{"id":233533,"date":"2026-03-18T02:19:28","date_gmt":"2026-03-18T07:19:28","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/03\/glassworm-malware-hits-400-code-repos-on-github-npm-vscode-openvsx"},"modified":"2026-03-18T02:19:28","modified_gmt":"2026-03-18T07:19:28","slug":"glassworm-malware-hits-400-code-repos-on-github-npm-vscode-openvsx","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/03\/glassworm-malware-hits-400-code-repos-on-github-npm-vscode-openvsx","title":{"rendered":"GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/glassworm-malware-hits-400-code-repos-on-github-npm-vscode-openvsx2.jpg\"><\/a><\/p>\n<p>The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode\/OpenVSX extensions.<\/p>\n<p>Researchers at <a href=\"https:\/\/www.aikido.dev\/blog\/glassworm-returns-unicode-attack-github-npm-vscode\" target=\"_blank\" rel=\"nofollow noopener\">Aikido<\/a>, <a href=\"https:\/\/socket.dev\/blog\/open-vsx-transitive-glassworm-campaign\" target=\"_blank\" rel=\"nofollow noopener\">Socket<\/a>, <a href=\"https:\/\/www.stepsecurity.io\/blog\/forcememo-hundreds-of-github-python-repos-compromised-via-account-takeover-and-force-push\" target=\"_blank\" rel=\"nofollow noopener\">Step Security<\/a>, and the <a href=\"https:\/\/opensourcemalware.com\/blog\/four-arms-one-monster\" target=\"_blank\" rel=\"nofollow noopener\">OpenSourceMalware<\/a> community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm.<\/p>\n<p>Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source repositories is provided by the use of the same Solana blockchain address used for command-and-control (C2) activity, identical or functionally similar payloads, and shared infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode\/OpenVSX extensions. Researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm. Evidence of a single threat actor running [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3818,34],"tags":[],"class_list":["post-233533","post","type-post","status-publish","format-standard","hentry","category-blockchains","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/233533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=233533"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/233533\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=233533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=233533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=233533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}