When we blogged about Beyond Shai-Hulud late in December last year, we deliberately chose to look beyond the immediate incident and toward the trajectory it implied. Shai-Hulud wasn't just another malicious package; it was a prototype for a new class of attack: self-propagating malware that weaponizes developer identity and the implicit trust baked into modern CI/CD pipelines. We argued that the industry was making a critical mistake by treating it as a one-off.
This week, the Glassworm campaign confirmed that we were right to sound the alarm, and that the threat is evolving faster than most teams are prepared for.
What Glassworm Does Differently
Recent research has documented a coordinated, multi-ecosystem attack wave by the threat actor known as Glassworm. Between March 3 and March 9, the campaign compromised at least 151 GitHub repositories and pushed malicious packages to npm, the VS Code Marketplace, and, as newly reported, at least 72 extensions on the Open VSX Registry. The technique is deceptively elegant: invisible Unicode characters from the Private Use Area are used to encode a full malicious payload inside what appears to be an empty string. Every editor, every terminal, every code review interface renders the payload as nothing. At runtime, a small decoder extracts the hidden bytes and passes them straight to eval().
The Open VSX angle deserves particular attention. The campaign introduced a transitive loading pattern: rather than embedding the full malicious payload in every extension, the attackers used one extension as a silent installer for a second, more heavily obfuscated one. The initial listing looks comparatively benign at publication time — the dangerous payload only materializes after installation, when the first extension pulls in the second. This defeats the kind of one-time-at-publish review that most extension marketplaces rely on.
Among the targets were repositories belonging to Wasmer, Reworm, and the organization behind OpenCode and SST, projects with real downstream adoption. This isn't a typosquatting campaign hoping someone fat-fingers a package name. This is targeted infiltration of legitimate, trusted codebases.
The Predictions That Landed
In our Shai-Hulud analysis, we outlined several specific ways supply chain attacks would evolve. Glassworm validates three of them in a single campaign:
Multi-ecosystem coordination
We warned about the "Polyglot Worm" — an attack designed to traverse security silos seamlessly. Glassworm operated simultaneously across GitHub repositories, npm packages, VS Code Marketplace extensions, and Open VSX — four distinct ecosystems in a single campaign. A JavaScript security team scanning npm wouldn't catch the GitHub repository compromise. A developer tools team auditing VS Code extensions wouldn't think to check Open VSX, or vice versa. The attack is designed to outrun the org chart.
AI-assisted evasion
We warned that AI would become a force multiplier for supply chain attackers, from "hallucination hijacking" (registering packages that AI tools incorrectly predict should exist) to scaling attacks beyond what manual effort allows. Glassworm delivers on the second half of that prediction. Its cover commits, documentation tweaks, version bumps, and small refactors are stylistically consistent across target projects. At the scale of 151+ compromised repositories, manual crafting of bespoke camouflage simply isn't feasible. The attackers are almost certainly using LLMs to generate context-appropriate cover changes, making each injection blend seamlessly into the project's history.
Invisible persistence
We described how future attacks would target not just source code, but the tooling and identity layers around it. Glassworm doesn't modify code in any way that a human reviewer can see. It hides in the encoding layer, beneath the abstraction that every modern development tool presents to the developer. You cannot catch this with visual code review. You cannot catch it with standard linting. The attack surface is the gap between what the machine executes and what the human perceives.
From Advisory to Action
Our team has already issued advisory MONDOO-ADV-2026-668sg covering the known affected npm packages — @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp — and we're tracking the campaign for further expansion.
But the advisory is the minimum. The real question Glassworm forces is whether your security posture accounts for threats that are literally invisible to your developers.
If your supply chain security strategy still relies on developers spotting suspicious code in pull requests, Glassworm is proof that this model is broken. The malicious payload is right there in the diff, you just can't see it. If your vulnerability management only covers known CVEs and published advisories, you're operating on a delay that attackers are designed to exploit. And if your security tooling treats npm, GitHub, your IDE extensions, and Open VSX as separate trust domains, you've built exactly the kind of siloed defense that Glassworm was engineered to bypass.
What to Do Now
For teams that want to get ahead of this class of attack rather than react to each new wave:
Scan your repositories and SBOMs for the known affected packages. Rotate any credentials or tokens on systems where those packages were installed. But don't stop there.
Deploy tooling that can detect invisible Unicode injection patterns across your codebase — not just in new dependencies, but in existing ones that may have been silently compromised. Audit your IDE extensions on both VS Code Marketplace and Open VSX; the transitive loading technique Glassworm used means a clean-looking extension can become malicious after install. Treat your CI/CD pipeline as an attack surface, not just a deployment mechanism. And audit the trust relationships between your developers' local environments, your build systems, and your package registries. Glassworm entered through any door it could find. Your defense needs to cover all of them.
The era of the software supply chain worm is no longer a forecast; it is here. It's the operating environment. Time to adapt.
