GlassWorm: 433 Compromised Components Across VSCode, GitHub, and npm Self-Propagating Worm Spans Four Developer Ecosystems

• .What: Self-propagating developer toolchain worm using invisible Unicode payloads, Solana blockchain C2, and credential-driven automated spreading across VSCode extensions, GitHub repositories, npm packages, and OpenVSX extensions.
• .Who: 433 compromised components across 4 ecosystems. 35,800+ confirmed extension installs in the initial October 2025 wave alone. Developers, enterprises, and at least one major government entity affected across the US, Europe, Asia, South America, and the Middle East.
• .How: Invisible Unicode character injection using variation selectors (U+FE00-U+FE0F) and extended combining marks (U+E0100-U+E01EF). GitHub account takeover via stolen tokens with force-push rebasing (ForceMemo sub-campaign). Compromised developer account credentials used for automated marketplace publishing.
• .Data: npm authentication tokens, GitHub Personal Access Tokens, OpenVSX publisher credentials, Git credentials (~/.git-credentials, git credential fill), SSH keys, GITHUB_TOKEN environment variables, cryptocurrency wallet seed phrases and private keys from 49 browser extensions, system fingerprints, keylogger data.
• .Actor: Assessed Russian-speaking with high confidence. Code comments in Russian ("Proverka, nakhoditsya li sistema v Rossii" - checking if system is in Russia). Malware skips execution on Russian locale/timezone. Uses RedExt open-source browser extension C2 framework. No formal group name or APT designation assigned by any vendor. Koi Security recovered attacker user IDs for multiple messaging platforms and cryptocurrency exchanges.
• .C2 Infrastructure: Triple-layer design. Primary - Solana blockchain wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC (50 transactions documented between November 27, 2025, and March 13, 2026). Fallback - Google Calendar (uhjdclolkdn@gmail.com, URL: https://calendar.app.google/M2ZCvM8ULL56PD1d6). Tertiary - BitTorrent DHT for decentralized command distribution. Direct IP servers rotated through 6 addresses.
• .Platform Breakdown: 72 OpenVSX/VSCode Marketplace extensions, 151+ GitHub JavaScript/TypeScript repositories, approximately 200 GitHub Python repositories (ForceMemo), 10 npm packages including react-native-country-select and react-native-international-phone-number.
• .Campaign Duration: October 17, 2025 (initial OpenVSX detection) through March 14, 2026 (latest documented wave). Active C2 transactions spanning at least 107 days.
• .ZOMBI RAT Capabilities: Hidden VNC (HVNC), SOCKS proxy deployment, WebRTC peer-to-peer communication, BitTorrent DHT command channel, Windows registry persistence (HKCU and HKLM Run keys), 49 cryptocurrency wallet browser extensions targeted, keylogging, credential harvesting.

codejoy-vscode-extension) version 1.8.3 on the Open VSX Registry. Koi Security published the initial technical analysis, with Truesec contributing a complementary deep-dive.

Koi Security identified it as the first self-propagating worm spanning four developer ecosystems simultaneously (VS Code extensions, npm, GitHub, and OpenVSX). Seven OpenVSX extensions had been compromised on October 17, with a combined 35,800 downloads.

cline-ai-agent version 3.1.3, which appeared on the Microsoft VSCode Marketplace itself - not just OpenVSX. The initial compromise vector was developer account takeover: the threat actor obtained legitimate publisher credentials and used them to push malicious updates to existing extensions.

transient-emacs (2,400 downloads). The attacker had posted new Solana blockchain transactions updating the remote C2 endpoints, and all infected machines automatically fetched the new payload location.

This demonstrated a critical property of blockchain-based C2: even if security teams identify and take down every active payload server, the attacker can redirect the entire botnet by posting a single Solana transaction costing a fraction of a cent.

In January and February 2026, The Hacker News reported at least 72 additional malicious OpenVSX extensions discovered since January 31, 2026, all linked to the GlassWorm infrastructure.

Four legitimate extensions that had collectively accumulated over 22,000 downloads prior to compromise were among those hijacked.

The campaign escalated dramatically in March 2026 with coordinated attacks across four platforms simultaneously:

GitHub JavaScript/TypeScript Repositories (March 3-9, 2026): Aikido Security identified at least 151 GitHub repositories containing the invisible Unicode decoder pattern.

The compromises appear to have been partially automated - at the scale of 151+ bespoke code changes across different codebases, manual crafting is infeasible.

Aikido assessed the attacker was leveraging AI-generated code modifications or adapting and force-pushing modified versions of prior legitimate commits.

High-profile targets included pedronauck/reworm (1,460 stars), anomalyco/opencode-bench (56 stars), and wasmer-examples/hono-wasmer-starter. quartz-markdown-editor version 0.3.0.

GitHub Python Repositories - ForceMemo (March 8-13, 2026): StepSecurity identified a parallel sub-campaign they named ForceMemo targeting approximately 200 GitHub Python repositories.

Rather than using invisible Unicode, ForceMemo exploited stolen GitHub tokens harvested by GlassWorm's credential theft module.

The attacker cloned the latest legitimate commit on the default branch, rebased it with obfuscated malware appended to Python files (main.py in approximately 70 repos, setup.py in approximately 25, app.py in approximately 25, manage.py in approximately 20), and force-pushed to replace the default branch.

The attacker fingerprint was distinctive: the committer email was set to the literal string "null," and the committer date was significantly newer than the author date - in one case, amirasaran/request_validator showed a 9-year gap between author date (2017) and committer date (2026).

The force-push ensured no pull request or commit trail was visible in GitHub's UI.

npm Package Hijacking (March 2026): Sonatype documented the hijacking of two React Native packages - react-native-country-select (version 0.3.91, approximately 20,000 weekly downloads) and react-native-international-phone-number (version 0.11.8, approximately 10,000 weekly downloads).

Both used the same Solana C2 infrastructure. The maintainer (@AstrOOnauta) promptly deprecated the affected versions after notification.

GlassWorm's signature technique exploits a category of Unicode characters that produce zero visual output in every mainstream code editor, terminal, code review interface, and diff viewer. The attack targets two specific ranges:

Variation selectors (U+FE00 through U+FE0F): 16 characters designed to modify the rendering of preceding characters, invisible when used without a base character.

Extended combining marks (U+E0100 through U+E01EF): 240 characters in the Supplementary Private Use Area that render as nothing in standard fonts.

These 256 invisible code points provide enough entropy to encode arbitrary binary data. The attacker embeds malicious payloads inside JavaScript backtick template literals that appear as empty strings or blank lines to any human reviewer.

GitHub's diff view, VS Code's editor, and standard terminal emulators all render the content as whitespace.

The decoder logic is compact: it reads each invisible character's Unicode code point, maps variation selectors to values 0-15 (by subtracting 0xFE00) and extended marks to values 16-255 (by subtracting 0xE0100 and adding 16), reconstructs the original bytes, and passes the result to eval().

The technique was first theorized in CVE-2021-42574 (Trojan Source, disclosed November 2021) but GlassWorm represents its first documented weaponization at scale in the wild - approximately four years after the CVE was published.

TECHNICAL ANALYSIS: SOLANA BLOCKCHAIN C2

GlassWorm uses the Solana public blockchain as its primary command-and-control channel - a design choice that makes the C2 infrastructure decentralized, immutable, and impossible to take down through traditional domain seizure or IP blocking.

The mechanism works as follows: the malware is hardcoded with the attacker's Solana wallet address (BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC). Every five seconds, the malware queries Solana RPC endpoints for recent transactions from this wallet.

When it finds a transaction, it reads the memo field - an arbitrary text field that can be attached to any Solana transaction. The memo contains a JSON object with a Base64-encoded URL pointing to the current payload server.

The malware decodes the URL, downloads the next-stage payload, and executes it.

StepSecurity documented 50 transactions on this wallet between November 27, 2025, and March 13, 2026 - mostly URL updates rotating through six payload server IPs as the attacker moved infrastructure:

• .45.32.151.157 (December 2025)
• .45.32.150.97 (February 2026)
• .217.69.11.57 (February 2026)
• .217.69.11.99 (February-March 2026, C2 on port 5000, DHT on port 10000)
• .217.69.0.159 (March 2026)
• .45.76.44.240 (March 2026)

A transaction on February 25, 2026, exposed a raw C2 configuration: "c2server": "http://217.69.11.99:5000" along with victim fingerprinting and DHT fallback endpoints. The funding source wallet was G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3t.

network.

This architecture gives the attacker two critical advantages. First, the C2 channel itself cannot be disrupted - Solana is a public blockchain with thousands of validators; there is no server to seize, no domain to sinkhole, no IP to block.

Even if every current payload server is taken down, the attacker posts one new transaction (costing approximately $0.001) and every infected machine automatically fetches the updated endpoint.

Second, the C2 traffic appears as legitimate Solana API queries, making network-level detection extremely difficult without deep packet inspection of RPC responses.

TECHNICAL ANALYSIS: FALLBACK C2 CHANNELS

Google Calendar: The secondary C2 channel queries a publicly accessible Google Calendar event URL (https://calendar.app.google/M2ZCvM8ULL56PD1d6) created by uhjdclolkdn@gmail.com. The malware extracts a Base64-encoded URL hidden within the calendar event's title field.

Google Calendar is a trusted service rarely blocked by enterprise firewalls or web proxies, making it an effective fallback when Solana RPC endpoints are inaccessible.

BitTorrent DHT: The tertiary C2 channel leverages the BitTorrent Distributed Hash Table for decentralized command distribution. This provides another layer of resilience against takedown, as DHT traffic is peer-to-peer with no central server.

Direct IP: The malware also supports direct HTTP communication with payload servers.

Payloads are encrypted with AES-256-CBC using dynamically generated decryption keys passed via custom HTTP headers (ivbase64 and secretkey), preventing passive network monitoring from inspecting payload contents.

The final decrypted stage of GlassWorm is ZOMBI - a heavily obfuscated JavaScript remote access trojan that transforms infected developer machines into fully controlled botnet nodes. ZOMBI's capabilities include:

git-credentials, GITHUB_TOKEN environment variables, and git credential fill), OpenVSX publisher credentials, Git stored credentials, and SSH private keys.

Cryptocurrency Wallet Draining: ZOMBI targets 49 cryptocurrency wallet browser extensions, including MetaMask, Coinbase Wallet, and Phantom.

The malware accesses browser extension storage directories, extracts wallet seed phrases and private keys, and exfiltrates them to attacker-controlled endpoints at 140.82.52.31:80/wall and 199.247.13.106:80/wall.

Remote Access: Hidden Virtual Network Computing (HVNC) provides the attacker with invisible remote desktop access - the VNC session runs in a separate desktop context that is not visible to the user.

SOCKS proxy servers are deployed on infected machines, allowing the attacker to route traffic through developer endpoints.

Communication Channels: WebRTC peer-to-peer channels enable direct communication between the C2 server and infected nodes, bypassing traditional network monitoring. BitTorrent DHT provides a decentralized backup command channel.

Persistence: On Windows, ZOMBI writes to both HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry keys for auto-start persistence.

Cross-platform persistence uses ~/init.json as a recheck timer (approximately 2-day interval).

Self-Propagation: The harvested npm, GitHub, OpenVSX, and Git credentials are automatically used to compromise additional packages, extensions, and repositories - creating the self-sustaining worm behavior that gives GlassWorm its name.

Each infected developer machine becomes a launch platform for the next wave of infections.

The ForceMemo Python payloads use three-layer obfuscation: Base64 decoding, zlib decompression, and XOR decryption with key value 134. The deobfuscated payload downloads Node.js version 22.9.0 from nodejs.org, writes an encrypted JavaScript file (i.js), and executes it via the downloaded Node.js runtime.

The marker variable "lzcdrtfxyqiplpd" is consistent across all compromised repositories and serves as a reliable detection indicator.

The npm/extension payloads use the invisible Unicode encoding described above, with the decoded content fetching and executing a second-stage script using the Solana C2 channel.

Both delivery mechanisms converge on the same infrastructure: the identical Solana wallet address, the same set of payload servers, and the ZOMBI RAT as the final payload.

The shared infrastructure across all four ecosystems confirms a single threat actor operating parallel attack vectors simultaneously.

GlassWorm's operators are assessed as Russian-speaking with high confidence based on multiple indicators:

Code comments in the deobfuscated payloads are written in Russian, including the string "Proverka, nakhoditsya li sistema v Rossii" (Checking if the system is in Russia).

The malware performs locale and timezone checks and skips execution entirely on systems configured with Russian language settings - a standard operational security practice among Eastern European cybercrime operators to avoid domestic law enforcement attention.

Koi Security researchers discovered an exposed attacker endpoint that revealed partial operational data. Recovered artifacts included attacker user IDs on multiple messaging platforms and cryptocurrency exchanges.

Keylogger data from the attackers' own testing infrastructure exposed their use of the RedExt open-source browser extension C2 framework for managing compromised endpoints. This data was turned over to law enforcement, and an investigation is underway.

No formal threat actor group name or APT designation has been assigned by any major vendor (CrowdStrike, Mandiant, Microsoft, Palo Alto Networks). The campaign has been tracked exclusively under the "GlassWorm" malware family name, originally assigned by Koi Security.

The financial motivation is clear: cryptocurrency wallet draining provides direct monetization, while stolen developer credentials enable cascading supply chain compromise that can be sold or leveraged for further operations.

The SOCKS proxy and HVNC capabilities suggest the threat actor also operates or sells access to compromised developer machines as infrastructure-as-a-service.

GlassWorm's self-propagation mechanism creates a compounding risk model fundamentally different from static supply chain attacks. In a traditional supply chain compromise (such as the Axios hijack), the attack surface is fixed: one package, one exposure window.

GlassWorm's harvested credentials generate new attack surface with every infection - each compromised developer who maintains npm packages, GitHub repositories, or VSCode extensions becomes an involuntary vector for the next wave.

The confirmed scope as of March 14, 2026:

• .72 OpenVSX/VSCode extensions compromised across four waves (October 2025, November 2025, January-February 2026, March 2026)
• .151+ GitHub JavaScript/TypeScript repositories containing the invisible Unicode decoder (March 3-9, 2026)
• .Approximately 200 GitHub Python repositories compromised via ForceMemo force-push attacks (March 8-13, 2026)
• .10 npm packages confirmed malicious, including packages with 20,000-30,000 combined weekly downloads
• .35,800+ confirmed extension installs in the initial October wave alone
• .Four additional compromised extensions with 22,000+ combined downloads in the January-February wave

The true scope is likely larger. Aikido noted that many compromised GitHub repositories had already been deleted by the time of analysis, meaning the 151+ count understates the JavaScript/TypeScript repository compromises.

StepSecurity's ForceMemo count of approximately 200 Python repositories is also based on a point-in-time snapshot.

Geographic impact spans at least five continents. Koi Security's analysis of the exposed attacker endpoint revealed victims in the US, Europe, Asia, South America, and the Middle East, including at least one major government entity.

The VSCode extension ecosystem has an estimated 50+ million active users, and OpenVSX serves as the default extension registry for multiple VS Code forks (VSCodium, Gitpod, Eclipse Theia, Coder).

The auto-update amplification vector is particularly dangerous: VS Code extensions update automatically by default. A developer who installed a legitimate extension months ago could be silently infected when the attacker pushes a malicious update to a hijacked publisher account.

No user interaction is required beyond having the extension installed.

1. No code review for invisible Unicode characters on extension marketplaces: Neither OpenVSX nor the Microsoft VSCode Marketplace performs automated scanning for non-visible Unicode characters in published extensions.

The invisible payload encoding passed all marketplace review processes because the malicious code literally cannot be seen - it renders as whitespace in every standard tool. OpenVSX relies on publisher agreements and automated tools, not manual code review.

2. Publisher account compromise without re-verification: Compromised publisher credentials were sufficient to push malicious updates to legitimate extensions without additional verification.

No challenge was issued for behavioral anomalies such as code changes to long-dormant extensions or additions of obfuscated content.

3. Automatic extension updates enabled by default: VS Code auto-updates extensions without user confirmation.

A compromised extension update is silently installed on every machine where the extension exists, converting a single publisher account compromise into thousands of endpoint infections.

4. GitHub accepted force-pushed commits without alerts to repository watchers: The ForceMemo sub-campaign replaced legitimate default branches via force-push. GitHub did not notify repository watchers, contributors, or dependents of the force-push event.

The manipulated commits were invisible in GitHub's UI because the attacker preserved original commit messages and author metadata.

5. mainnet-beta.solana.com appear as legitimate HTTPS traffic to standard network monitoring tools. Without specific detection rules for Solana RPC patterns, the C2 traffic is invisible.

6. git-credentials, VS Code storage databases, environment variables) are trivially extractable by any process with local file system access. No hardware security module or secure enclave protection is standard for developer credentials.

7. No dependency provenance verification for GitHub repositories: Developers who clone GitHub repositories and run pip install . or npm install execute arbitrary code from the repository without verifying that the code matches any known-good state.

Force-pushed repositories look identical to legitimate ones.

Solana Blockchain:

• .Primary C2 Wallet: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC
• .Funding Wallet: G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3t
• .Historical C2 Wallet (October 2025): 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2
• .Transaction Example: 49CDiVWZpuSW1b2HpzweMgePNg15dckgmqrrmpihYXJMYRsZvumVtFsDim1keESPCrKcW2CzYjN3nSQDGG14KKFM

Payload Server IPs:

• .217.69.3.218 (direct IP C2 and payload delivery)
• .217.69.11.57 (February 2026)
• .217.69.11.99 (February-March 2026, C2 on :5000, DHT on :10000)
• .217.69.0.159 (March 2026)
• .45.32.151.157 (December 2025)
• .45.32.150.97 (February 2026)
• .45.76.44.240 (March 2026)
• .199.247.10.166 (direct IP payload delivery)

Exfiltration Endpoints:

• .140.82.52.31:80/wall
• .199.247.13.106:80/wall

Google Calendar C2:

• .URL: https://calendar.app.google/M2ZCvM8ULL56PD1d6
• .Organizer: uhjdclolkdn@gmail.com

Payload URLs:

• .http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D
• .http://217.69.3.218/get_arhive_npm/
• .http://217.69.3.218/get_zombi_payload/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D

Compromised Extensions (Confirmed):

• .codejoy.codejoy-vscode-extension (v1.8.3, v1.8.4)
• .cline-ai-main.cline-ai-agent (v3.1.3 - Microsoft VSCode Marketplace)
• .l-igh-t.vscode-theme-seti-folder (v1.2.3)
• .JScearcy.rust-doc-viewer (v4.2.1)
• .sissel.shopify-liquid (v4.0.1)
• .adhamu.history-in-sublime-merge
• .ai-driven-dev.ai-driven-dev
• .yasuyuky.transient-emacs
• .quartz.quartz-markdown-editor (v0.3.0)

Compromised npm Packages:

• .@aifabrix/miso-client (v4.7.2)
• .@iflow-mcp/watercrawl-watercrawl-mcp (v1.3.0-1.3.4)
• .react-native-country-select (v0.3.91)
• .react-native-international-phone-number (v0.11.8)

Compromised GitHub Repositories (High-Profile):

• .pedronauck/reworm (1,460 stars)
• .anomalyco/opencode-bench (56 stars)
• .wasmer-examples/hono-wasmer-starter
• .amirasaran/django-restful-admin (70 stars)
• .BierOne/ood_coverage (34-star ICLR paper)
• .wecode-bootcamp-korea (multiple repos)
• .HydroRoll-Team (multiple repos)

File System Indicators:

• .~/init.json (persistence timer, ~2-day recheck interval)
• .~/node-v22* (unexpected Node.js v22.9.0 installation)
• .Suspicious i.js files in cloned repositories
• .Marker variable in code: lzcdrtfxyqiplpd

Git Commit Anomalies:

• .Committer email set to literal string "null"
• .Committer date significantly newer than author date
• .Force-pushed commits on default branches

Windows Registry Persistence:

• .HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• .HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Solana RPC Endpoints (Monitor for Anomalous Developer Workstation Traffic):

• .api.mainnet-beta.solana.com
• .solana-mainnet.gateway.tatum.io
• .go.getblock.us
• .solana-rpc.publicnode.com
• .api.blockeden.xyz
• .solana.drpc.org
• .solana.leorpc.com
• .solana.api.onfinality.io
• .solana.api.pocket.network

Detection Commands:

• .Search for marker: grep -r "lzcdrtfxyqiplpd" .
• .Check persistence file: cat ~/init.json
• .Check Node.js download: ls ~/node-v22*
• .Check invisible Unicode in JS files: npx anti-trojan-source --files='src/**/*.{js,ts,jsx,tsx}' --verbose
• .Check git commit anomalies: git log --format='%H %ae %aI %ce %cI' | awk -F' ' '{if ($4=="null") print}'

This incident primarily affects developer infrastructure and credentials rather than traditional PII. However, the stolen credentials - npm tokens, GitHub tokens, cloud API keys, SSH keys - provide access to systems that process and store personal data.

• .US - FTC Act Section 5: Organizations that fail to implement reasonable developer workstation security - including dependency scanning, extension allow-listing, and credential rotation - may face enforcement for unfair or deceptive practices. The FTC's Drizly consent decree (2023) established that failure to implement basic software supply chain security constitutes an unfair practice.
• .US - SEC 8-K Disclosure: Publicly traded companies that determine a GlassWorm compromise constitutes or contributes to a material cybersecurity incident must disclose within 4 business days.
• .US - CCPA/CPRA: If stolen developer credentials are used to access California residents' personal information, the organization faces $7,500 per intentional violation.
• .EU - GDPR Article 32: Organizations must implement appropriate technical and organizational measures for security of processing. Failure to scan for supply chain threats, restrict extension installations, or monitor for anomalous developer tool behavior may constitute inadequate measures. Fines up to 4% of annual global turnover or EUR 20 million.
• .EU - NIS2 Directive: Software supply chain security is explicitly within NIS2's scope. Organizations subject to NIS2 that were compromised face mandatory incident reporting obligations.
• .UK - UK GDPR / DPA 2018: Mirrors EU GDPR exposure. ICO enforcement up to GBP 17.5 million or 4% of annual turnover.
• .Saudi Arabia - PDPL: Organizations processing Saudi residents' data that were compromised face fines up to SAR 5 million (~$1.3M). NCA Essential Cybersecurity Controls mandate software supply chain risk management for critical infrastructure and government entities.
• .UAE - PDPL (Federal Decree-Law No. 45/2021): Fines up to AED 10 million for data protection failures resulting from compromised developer infrastructure.
• .Switzerland - revFADP: Personal liability on individuals (not just corporate entities) responsible for security failures - fines up to CHF 250,000.

The extension marketplace operators - Eclipse Foundation (OpenVSX), Microsoft (VSCode Marketplace), npm (GitHub/Microsoft), and GitHub - face scrutiny for structural failures in their review and publishing processes.

OpenVSX's reliance on automated tools and publisher agreements without manual code review enabled four consecutive waves of compromise over five months. cline-ai-agent). GitHub accepted force-pushed malicious commits without alerting repository dependents.

npm accepted malicious package publications without detecting the shared Solana C2 infrastructure already flagged in prior GlassWorm waves.

Several critical questions remain unanswered:

1. Total infection count: No comprehensive count of infected developer machines exists. The 35,800+ extension installs from October 2025 represent only the initial wave.

The 72+ extensions in January-March 2026, the 151+ GitHub JS/TS repos, the approximately 200 Python repos, and the 10 npm packages each add unknown numbers of infections. The auto-update mechanism means historical install counts understate active infections.

2. Credential reuse cascade: How many of the GitHub tokens stolen by GlassWorm's credential harvester were subsequently used to compromise additional repositories?

The ForceMemo campaign explicitly used stolen GitHub tokens, but the full extent of second-generation compromises is unknown.

3. Cryptocurrency theft volume: No estimate of total cryptocurrency drained from the 49 targeted wallet extensions has been published.

The exfiltration endpoints (140.82.52.31:80/wall and 199.247.13.106:80/wall) may contain transaction records, but these are attacker-controlled and not publicly accessible.

4. Government entity identification: Koi Security confirmed at least one "major government entity" among victims but has not disclosed the name or country. The implications for national security depend on which government, which systems, and what credentials were harvested.

5. Law enforcement investigation status: Koi Security reported turning over attacker data (user IDs on messaging platforms and cryptocurrency exchanges) to law enforcement. No arrests or public law enforcement statements have been made.

6. Connection to other March 2026 campaigns: GlassWorm, TeamPCP/CanisterWorm, and the Axios hijack all targeted developer infrastructure in the same month using different blockchain C2 mechanisms (Solana, ICP, none).

Whether this convergence is coordinated, copycat, or coincidental remains unknown.

7. Attacker identity behind RedExt: The threat actor uses the RedExt open-source browser extension C2 framework. Whether the GlassWorm operator is the RedExt developer or merely a user of the tool is unclear.

1. Deploy automated invisible Unicode detection in all code review and CI/CD pipelines. Tools like Snyk's anti-trojan-source scanner detect Unicode variation selectors and PUA characters in source code.

This should be mandatory in every pull request check and marketplace submission review. The technique is four years old (CVE-2021-42574, November 2021) and should have been blocked at the platform level before GlassWorm weaponized it.

2. Restrict VSCode extension installations to a curated allow-list. Enterprise VS Code deployments should disable automatic extension updates and restrict installations to organization-approved extensions.

No developer workstation should auto-install updates from the public OpenVSX or VSCode Marketplace without review. autoUpdate setting should be set to false in all managed environments.

3. Implement hardware-backed credential storage for developer tokens. npm tokens, GitHub tokens, and Git credentials should not be stored in plaintext files.

Use credential managers that leverage platform secure enclaves (macOS Keychain, Windows Credential Manager, Linux secret-service) and rotate tokens on a 30-day maximum lifecycle.

Hardware security keys (FIDO2) should be required for all npm publish and GitHub push operations on sensitive repositories.

4. Monitor for Solana RPC traffic on developer networks. mainnet-beta.solana.com, solana-rpc.publicnode.com, etc.) from developer workstations and CI/CD runners. Legitimate developer environments rarely need direct Solana RPC access. Alert on and investigate any matches.

5. Enforce signed commits and block force-push on default branches. GitHub repository settings should require signed commits (GPG or SSH signing) and protect default branches from force-push.

The ForceMemo sub-campaign would have been entirely blocked by branch protection rules that prevent force-push to main/master. Enable GitHub's "Require status checks" and "Require pull request reviews" for all production repositories.

6. Run dependency installation with --ignore-scripts and audit all lifecycle hooks. In CI/CD pipelines and developer environments, install npm packages with --ignore-scripts by default. Audit every package that requires postinstall or preinstall hooks.

The npm/Node.js payload delivery relied entirely on postinstall script execution.

Koi Security, Truesec, Aikido Security (Ilyas Makari), StepSecurity, Socket.dev, Sonatype, BleepingComputer, The Hacker News, SecurityWeek, Dark Reading, CSO Online, InfoWorld, Snyk, Veracode, Fluid Attacks, Malwarebytes, GBHackers, Cloud Security Alliance, Rescana, ThaiCERT, SOCRadar, Scientific American, HotHardware, WinBuzzer, WebProNews, Cybersecurity Help, HackMag, Dev.to, Threat Road (Substack)