The GlassWorm supply-chain campaign has resurfaced with a broader, coordinated wave targeting developer ecosystems: GitHub repositories, npm packages, and VS Code/OpenVSX extensions.

BleepingComputer reports that multiple researchers and communities (including Aikido, Socket, Step Security, and OpenSourceMalware) collectively identified 433 compromised components this month. The campaign reportedly begins with GitHub account compromise and force-pushes malicious commits, then propagates via published packages and extensions.

Key techniques highlighted

- Obfuscated malicious code using “invisible” Unicode characters to evade detection

- Periodic command-and-control via Solana blockchain transactions, with instructions embedded as memo fields

- Payloads aimed at stealing crypto-wallet data, credentials/tokens, SSH keys, and developer environment information

Scope of the latest wave (as reported)

- 200 GitHub Python repositories

- 151 GitHub JavaScript/TypeScript repositories

- 72 VS Code/OpenVSX extensions

- 10 npm packages

What developers and teams should do now

1) Treat direct installs from GitHub (or running cloned repos) as higher risk; pin commits and verify maintainer identities.

2) Review Git histories for suspicious force-pushes and inconsistent author/committer timestamps.

3) Hunt for published indicators mentioned by researchers (e.g., marker variable names) within your codebase.

4) Audit developer machines for unexpected runtimes or persistence artifacts in home directories.

5) Enforce stronger GitHub protections: MFA, branch protections, signed commits, and least-privileged tokens.

Draft angle for Kicukiro Tech: Supply-chain attacks are no longer “rare edge cases” — they are an operational reality for modern software development, and defenses need to start at the repo and CI level.