A large-scale supply chain attack linked to the GlassWorm malware campaign has compromised more than 400 code repositories, packages, and extensions across developer platforms including GitHub, npm, and Visual Studio Code. (BleepingComputer)

Security researchers warn that the campaign represents a significant escalation in attacks targeting open-source ecosystems widely used by developers worldwide.

The latest wave of GlassWorm activity leverages stealth techniques to inject malicious code into trusted software components, making detection particularly difficult. The malware has been observed spreading through repositories, packages, and extensions, increasing its reach across multiple development environments. (BleepingComputer)

Hidden malware using invisible code

One of the campaign’s most concerning techniques involves the use of invisible Unicode characters to conceal malicious payloads inside seemingly harmless code. These characters appear blank in most editors and code review tools, allowing attackers to hide executable instructions in plain sight. (Aikido)

When executed, the hidden code can decode and run malicious scripts, often using functions like eval() to deploy further payloads. In some cases, second-stage malware is fetched from decentralized infrastructure such as blockchain networks, complicating takedown efforts. (Tom's Hardware)

Targeting developers and software supply chains

The attack primarily targets developers by compromising tools and dependencies they trust. Malicious packages and extensions often impersonate legitimate utilities—such as linters, formatters, or AI coding assistants—making them more likely to be installed. (The Hacker News)

Once installed, GlassWorm can steal sensitive data, including authentication tokens, credentials, and other secrets. Earlier variants have also been linked to credential theft from developer platforms and cryptocurrency-related assets. (SecurityWeek)

Because many development tools automatically update dependencies and extensions, infected components can spread quickly without user awareness, amplifying the impact of the attack.

Ongoing and evolving threat

GlassWorm has been active since at least 2025 and continues to evolve, with attackers refining their techniques to evade detection and expand distribution channels. (Tom's Hardware)

Recent findings suggest the campaign may also use tactics such as disguised commits and automated changes to make malicious updates appear legitimate, further complicating detection efforts.

Growing supply chain risks

The incident highlights the increasing risks within the software supply chain, where a single compromised package or extension can impact thousands of downstream projects.

Security experts advise developers to:

Carefully vet third-party dependencies

Use tools to detect hidden or obfuscated code

Monitor repositories and packages for unusual changes

Bottom line

The GlassWorm campaign underscores how attackers are shifting focus toward developer ecosystems, exploiting trust in open-source software to distribute malware at scale. With hundreds of repositories already affected, the attack serves as a reminder that even widely trusted platforms are not immune to sophisticated supply chain threats.

Don’t miss updates! Follow us on Twitter & Facebook. 🔔