The GlassWorm malware campaign has infiltrated more than 400 source code repositories and software utilities across popular development platforms such as GitHub, npm, and VSCode/OpenVSX. Bkav experts estimate that tens of thousands of developers’ machines have already been infected with GlassWorm. This attack creates a chain reaction: hackers turn these devices into stepping stones to penetrate deeper into corporate internal networks, manipulate source code, and automatically replicate and spread the virus exponentially throughout the global software supply chain, including Vietnam.

This campaign does not focus on directly exploiting software vulnerabilities. Instead, hackers use stolen accounts and access tokens to insert malicious code into legitimate source code repositories and software utilities shared by developers.

The malicious modifications are carried out under legitimate accounts or disguised within source code update histories (commits), including author information, content, and timestamps, similar to legitimate updates. As a result, they appear normal and are difficult to detect by visual inspection or basic checks. In addition to injecting malicious code into repositories, in some attack vectors, GlassWorm uses “invisible” Unicode characters to bypass automated scanning systems. Rather than using conventional servers that are easily detected and shut down, this campaign leverages the Solana blockchain network to store and transmit command-and-control instructions. This makes the attackers’ system decentralized and extremely difficult to block. At the same time, the malware rotates at least six C2 server IP addresses to maintain communication and conceal its activity.

“Hackers embed malicious commands directly into ‘invisible’ Unicode characters in the code, turning seemingly empty lines into hidden attack tools. To the naked eye or through basic inspection, the code appears completely normal. This makes it difficult for both developers and traditional scanning tools to detect any anomalies,” said Nguyen Dinh Thuy, a malware expert at Bkav.

Once activated, the malware steals sensitive data such as cryptocurrency wallets, SSH keys, access authentication codes, and developers’ system information, thereby continuing to expand deeper into organizational systems. Notably, the scope of this attack has spread into developers’ daily working environments through development tools, extensions, or dependency code that has been embedded with malware.

In Vietnam, many technology companies and startups are keeping pace with global trends by developing software based on open-source code and free libraries. Platforms such as GitHub and npm are widely used in product development, from web and mobile applications to enterprise systems. If a widely used library is injected with malicious code, the risk can spread to numerous software projects and enterprise systems domestically through dependencies used by developers.

“GlassWorm reflects a shift in attack trends from targeting end users directly to targeting software development platforms and tools. When a component in the supply chain is infected, the impact can spread to thousands or even millions of end users. The extent of the damage is immeasurable. Users and businesses should proactively deploy advanced security solutions and comprehensive anti-malware software, rather than relying solely on default operating system tools, which are designed for basic protection and are insufficient to detect sophisticated threats that persist long-term within systems,” said Le Tien Thinh, Director of Cybersecurity Products at Bkav.

In response to this threat, Bkav recommends that developers and technology organizations:

• Pin versions and disable automatic updates for libraries and extensions to prevent malware from spreading via new updates.
• Integrate automated code scanning tools directly into IDEs or CI/CD pipelines for continuous monitoring and early detection of obfuscated code or hidden characters.
• For source code repositories, enforce multi-factor authentication (MFA) and the principle of least privilege; disable force-push on critical branches.
• Ensure 100% of endpoints are equipped with professional antivirus software, combined with advanced EDR/XDR solutions to create a dual-layer defense against fileless or stealth malware.
• When suspicious signs appear, immediately change passwords, revoke access tokens, and review all repository activities.

Bkav