Glassworm was an international botnet targeting software developers and open-source software supply chains. It gained access to development environments and CI/CD pipelines by using compromised software extensions, manipulated software packages, and stolen developer accounts. The activity was believed to have started in early 2025. Malicious extensions were distributed through the OpenVSX marketplace under disguises of popular developer tools and were compatible with Visual Studio Code and related environments. Infected npm and Python packages were also deployed so malicious code executed automatically during dependency installation. More than 300 GitHub repositories were modified after developer account compromise. The malware operated on Windows, macOS, and Linux, performing credential harvesting, data theft, and remote access via GlasswormRAT, a Node.js-based tool. Infected machines were also used as proxy nodes, with hidden Unicode code injections to reduce visibility.
"Glassworm used compromised software extensions, manipulated software packages, and stolen developer accounts to gain access to development environments and CI/CD pipelines. The operation marks a shift in the threat landscape, with attackers increasingly targeting developers themselves. Compromising a single development environment can affect thousands of downstream users and organizations."
"Among other tactics, Glassworm distributed malicious extensions via the OpenVSX marketplace, disguised as popular developer tools. The extensions worked not only with Visual Studio Code but also with derivative development environments such as Cursor, Windsurf, Positron, and VSCodium. In addition, infected npm and Python packages were deployed."
"Malicious code was automatically executed during regular dependency installations. CrowdStrike further states that more than three hundred GitHub repositories were modified after developer accounts had previously been compromised. The malware ran on Windows, macOS, and Linux systems and included functionality for credential harvesting, data theft, and remote access."
"A key component of the operation was GlasswormRAT, a Node.js-based remote-access tool that allowed systems to be controlled remotely. According to CrowdStrike, infected developer machines were also used as proxy nodes for criminal activities. The attackers used techniques such as hidden Unicode code injections to make malicious code less visible to developers and security software."
#software-supply-chain-attacks #developer-account-compromise #malicious-browseride-extensions #cicd-pipeline-intrusion #remote-access-malware
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]