Executive Summary
A Cyber Security News report published on 27 May 2026 detailed an ongoing Glassworm malware campaign targeting software developers through trusted development platforms, including npm, PyPI, OpenVSX, and GitHub. The campaign first surfaced in October 2025 through malicious Visual Studio Code and OpenVSX extensions and has since expanded into Python repositories, React Native npm packages, and AI-related development tooling. The campaign poses downstream risk due to a compromised developer workstation could expose connected repositories, cloud infrastructure, and organizational secrets.
Key Takeaways
- Glassworm malware targets developer credentials and secrets, including GitHub tokens, cloud credentials, SSH keys, API tokens, cryptocurrency wallet data, and browser session data.
- The malware can use stolen GitHub tokens to force-push malicious code into repositories linked to the victim’s account while preserving original commit metadata.
- Two hijacked React Native npm packages reportedly received more than 30,000 combined weekly downloads before being identified as malicious.
- The malware uses the Solana blockchain as a command-and-control channel by reading payload instructions from transaction memos tied to a specific wallet.
- Observed stealth techniques include invisible Unicode characters embedded in source code, multi-stage payloads, encrypted final payloads, and persistence through a WebSocket-based backdoor.
Mitigation Options
Cyber Security News provided the following mitigations:
- Security teams should audit all installed VS Code extensions and remove anything unrecognized.
- Developers are advised to rotate GitHub tokens and cloud credentials on any system that may have been exposed.
- Enabling multi-factor authentication across all developer platforms.
- Organizations should also watch outbound connections to Solana RPC endpoints or unknown IP addresses, as this kind of traffic has no place in a normal development pipeline.
IOCs
Cyber Security News has provided a list of indicators of compromises (IOCs) that can be found here:
Type | Indicator | Description |
Solana Wallet (C2) | BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC | Primary Solana blockchain C2 address used to receive payload instructions via transaction memos |
Solana Wallet (Funding) | G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3t | Funding wallet that seeded the C2 address; holds approximately 495 SOL |
IP Address | 45[.]32[.]151[.]157 | C2 payload server, active December 2025 (Vultr hosting range) |
IP Address | 45[.]32[.]150[.]97 | C2 payload server, active February 2026 (Vultr hosting range) |
IP Address | 217[.]69[.]11[.]57 | C2 payload server, active February 2026 (Russian hosting range) |
IP Address | 217[.]69[.]11[.]99 | C2 payload server, active February–March 2026; C2 server on port 5000, DHT on port 10000 |
IP Address | 217[.]69[.]0[.]159 | C2 payload server, active March 2026 (confirmed by live monitoring) |
IP Address | 45[.]76[.]44[.]240 | C2 payload server, active March 2026 (Vultr hosting range) |
File | ~/init[.]json | Persistence file created by malware to prevent repeated execution within two days |
File | i[.]js | JavaScript payload file written to script directory during execution |
File | /tmp/ijewf | Temporary file artifact dropped during infection |
File | /tmp/out[.]zip | Temporary archive artifact dropped during infection |
Code Marker | lzcdrtfxyqiplpd | Base64 payload variable name used as a fingerprint across all compromised Python repos |
XOR Key | 134 | XOR decryption key used in the three-layer obfuscation scheme |
Malicious Package | react-native-country-select v0[.]3[.]91 | Hijacked React Native npm package delivering multi-stage malware (~20,000 weekly downloads) |
Malicious Package | react-native-international-phone-number v0[.]11[.]8 | Hijacked React Native npm package delivering multi-stage malware (~10,000 weekly downloads) |
Malicious Extension | quartz[.]quartz-markdown-editor | Abused OpenVSX extension identified in the Glassworm campaign |
Malicious Extension | oorzc[.]ssh-tools | Abused OpenVSX extension identified in the Glassworm campaign |
Malicious Extension | oorzc[.]i18n-tools-plus | Abused OpenVSX extension identified in the Glassworm campaign |
Malicious Extension | oorzc[.]mind-map | Abused OpenVSX extension identified in the Glassworm campaign |
Malicious Extension | oorzc[.]scss-to-css-compile | Abused OpenVSX extension identified in the Glassworm campaign |
Malicious Package | @iflow-mcp/watercrawl-watercrawl-mcp | Malicious npm MCP-style package linked to Glassworm campaign |
Malicious Package | @aifabrix/miso-client | Malicious npm MCP-style package linked to Glassworm campaign |
