Skip to content
Tech News
← Back to articles

GlassWorm Malware Evolves to Hide in Dependencies

2026-03-16 | original
read original get Dependency Scanner Tool → more articles
Why This Matters

The evolution of GlassWorm malware to hide within dependencies highlights the growing sophistication of supply chain attacks, posing significant risks to developers and consumers relying on open source software. This underscores the urgent need for improved security practices in software development and dependency management to prevent widespread infections and data breaches.

Key Takeaways

The infamous GlassWorm malware has infected dozens more Open VSX software packages, according to new research.

GlassWorm is a family of malware that first emerged last year with the goal of infecting software developers with infostealers, which attackers would use for downstream attacks. A developer would download a component poisoned by GlassWorm, the malware would steal secrets and credentials, and then the attacker would abuse this access to publish poisoned versions of projects maintained by that victim. A downstream victim would download that poisoned package and continue the spread of the malware.

GlassWorm will also impersonate well-known software packages in an effort to trick developers and end users into installing a malicious application.

GlassWorm primarily targets extensions on Open VSX — an open source alternative to Microsoft's Visual Studio Marketplace. It's not just Microsoft and Open VSX credentials being targeted; GlassWorm has historically stolen NPM, GitHub, and Git credentials, as well as cryptocurrency wallets, macOS system data, Web browser data, keychain databases, Apple Notes databases, Safari cookies, VPN configurations, and more.

Related:Real-Time Banking Trojan Strikes Brazil's Pix Users

GlassWorm also sits in the lineage of the Shai-hulud self-replicating malware targeting the NPM ecosystem (as well as its successors), though GlassWorm is technically not self-replicating in the same sense. Since the summer, threat actors have aggressively targeted the open source development community with these worms and show no signs of slowing down.

Software development security vendor Socket on March 13 published research concerning 72 malicious Open VSX extensions linked to the GlassWorm malware campaign. While GlassWorm is already considered a stealthy malware, recent infections suggest even further evolution.

GlassWorm Now Uses Transitive Dependencies

Much of the evasion trickery seen in recent GlassWorm iterations remains, Socket's research team said. That includes staged JavaScript-based loaders, geofencing to avoid Russian victims, using Solana blockchain transaction memos to connect to a command-and-control server with one step removed from poisoned software packages, and in-memory follow-on code execution — except "they now rotate infrastructure and loader logic more aggressively," Socket's blog read.

But the most important shift is GlassWorm's move to transitive loader delivery, where malicious listings include the extensions "extensionPack" and "extensionDependencies." In short, a poisoned package may now initially look safe because it doesn't include the loader directly in its files; rather, it uses an extension to connect to GlassWorm's infostealing capabilities, adding yet another layer of removal. Socket called this an evolution of the malware as well as a "significant escalation in how it spreads through Open VSX."

... continue reading

Explore topics: glassworm open vsx npm github visual studio
Related:
Agent Skills – Open Security Database
MCP Server Is Eating Your Context Window. There's a Simpler Way
US Job Market Visualizer
Skillfile, the declarative skill manager, now with search for 110K+ skills
Even faster asin() was staring right at me

© 2026 GoKawiil

About | Editorial Policy | Contact