Double the Worm
I’ve talked about GlassWorm before. The Shai-Hulud offshoot has been in constant evolution since at least October of 2025, with iterations affecting numerous open source extensions and developer registries across a wide array of endpoints. Today, it appears not once but twice on my cyber news feed with a pair of unrelated waves of attacks.
The first, as reported by Endor Labs, covers a campaign using a multi-stage approach of infection, obfuscation and deployment in an npm package that ultimately ends with the maintainer of the package being completely locked out of their account and unable to take the compromised version down. The campaign began with a pre-install hook in two known packages – npm install react-native-international-phone-number and npm install react-native-country-select – using a Solana blockchain command-and-control client as a dead drop, rather than being hardcoded into the URL’s which could be blocklisted. The hook is coded to in-memory execution, meaning it’s living off the land; it isn’t saved to the disk. It achieves persistence through a json command. This first wave was counteracted by the maintainer, with a new clean version published shortly after the attack.
The second wave was something of a placeholder, intended to pre-stage a dependency on the previous, infected version of the packages, but containing no further payload. With nothing to be flagged by security software, this second stage gets scanned and determined to be benign, and thus remains available for download and use. This is a deferred armament technique, plant the dependency chain while it's clean, let scanners clear it, then arm it later when nobody's watching. The attacker waited nearly a full day before releasing the armed version, enough time for the packages to be distributed without issue.
The final wave deployed the armed version of the packages, with them pinned as ‘latest’ for automatic updating in downloaded copies. No suspicious signals were flagged, because the malware itself is embedded in the dependency chain, not the final iteration. And then the attacker changed the npm account email, effectively locking the owner out of recovery. Endor Labs states that versions (those above 0.12.0 for phone-number, 0.4.0 for country-select) containing the ~/init.json command confirms the presence of the executed malware.
The second report of GlassWorm comes from Socket, regarding the ongoing campaign to spread the malware through OpenVSX extensions. They’d first reported on the campaign a week ago, finding 72 extensions carrying the malware at that time. Over the weekend, at least 20 more were detected, with a further number including ‘sleeper’ extensions that hadn’t yet delivered their payload. Using the same tactic as the case of npm, extensions were published with no malware in them, although they were often typosquats. And then an update introduced the malicious version.
This iteration of the malware uses GitHub’s own infrastructure for living off the land. Eclipse Foundation – Open VSX’s parent company – has been flagging and removing the extensions as they’re found before they can be activated by users. Socket’s article has a list of possibly compromised extensions, both active and sleeper, with the versions that are affected and those that are likely clean. Most of them are running an import command, and several accounts are suspected to be hosts or publishers of the campaign with high confidence.
GlassWorm campaigns have been a fairly common headline in my news feed for months, but this is the first time two separate attacks were reported on the same day. Given the use of Solana blockchain for command-and-control, one can presume that cryptocurrency theft is among the goals by the attacker. As always, I’ll be keeping my eye on things and any further developments.
Posted, 3/19/26












