CATEGORIES
home News

Glassworm Malware Campaign Uses Invisible Code To Infect Hundreds Of GitHub Repos

by Chris HarperWednesday, March 18, 2026, 04:42 PM EDT
hero glassworm
The GlassWorm malware made news when it pivoted from exclusively targeting Windows users to also targeting Mac OS users in January, and in the time since, the malware campaign has spread across at least 413 code repos on npm, VSCode, OpenVSX, and even GitHub. Evidence points to this all being tied to a single threat actor since they're all connected to the same Solana blockchain address, and some evidence (like GlassWorm remaining dormant for projects that seem to be based in Russia) may also point toward Russia or Russian state-sponsored actors being responsible. Unfortunately, that evidence is circumstantial at best, but does reflect the worrying trend of state-sponsored cybercrime efforts.

Per the coverage of Bleeping Computer and several research teams, GlassWorm targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data. With this information, GlassWorm can enable cryptocurrency extraction or other cyber attacks on the developers of infected code repositories. It's likely the largest-scale attack on independent software development efforts, skipping the usual vectors of browser extensions, ads, and commercial apps entirely to make the development environment unsafe for its users.

glassworm attack
Image Credit: Step Security via BleepingComputer

Fortunately, GlassWorm can be detected, especially in the development environments it is now targeting. Developers are advised to search for suspicious i.js files in recently-cloned projects, review Git commit histories for anomalies, and inspect systems for the presence of the ~/init.json file that is used for persistence. Step Security in particular advises developers who install Python packages from GitHub or run closed repositories to search their codebase for the marker variable "lzcdrtfxyqiplpd", which is an indicator of GlassWorm malware.

As highlighted by the Bleeping Computer coverage, GlassWorm is not some immortal specter hovering over the development community, and can be defeated with enough education regarding its trademark tells and behaviors. But it does demonstrate that even independent developers, not just end users, are vulnerable to cyber attacks.

Image Credit: Bleeping Computer
Tags:  Malware, security, cybersecurity, GitHub, open source software
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy Policy

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy Policy - Copyright Notice - Terms Of Use