Signal

GlassWorm malware campaign targets over 400 repositories across multiple platforms

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-17 21:42 UTCUpdated 2026-03-17 23:49 UTC

rss

cveexploitsmalwarethreat_actorssecurity_toolingincident_response

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

GlassWorm campaign evolves: ForceMemo attack targets Python repos via stolen GitHub tokens

SC Media · News · scworld.com · 2026-03-17 23:49 UTC

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

bleepingcomputer_all · News · bleepingcomputer.com · 2026-03-17 21:42 UTC

limited source diversity in top sources

View all evidence

Overview

The GlassWorm supply-chain malware campaign has resurfaced with a coordinated attack impacting more than 400 code repositories and packages on GitHub, npm, VSCode, and OpenVSX.

Entities

GlassWormForceMemo

Score total

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Recent resurgence of GlassWorm shows ongoing risk to developer environments.
Attackers are actively exploiting stolen GitHub tokens to expand their reach.
Heightened awareness is needed to protect software supply chains and developer credentials.

Why it matters

Supply-chain attacks on developer repositories can compromise vast amounts of software downstream.
Malicious extensions stealing tokens threaten the integrity of open-source ecosystems.
Evolving tactics like ForceMemo highlight increasing sophistication in malware targeting developers.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

GlassWorm malware campaign compromises developer systems via malicious VS Code and Cursor extensions to steal GitHub tokens.
The ForceMemo attack uses stolen GitHub tokens from GlassWorm infections to target Python repositories.

How sources frame it

Security Researchers: neutral

This briefing highlights the resurgence and evolution of the GlassWorm supply-chain malware campaign, emphasizing the risks posed to developer environments and software supply chains.

All evidence

GlassWorm campaign evolves: ForceMemo attack targets Python repos via stolen GitHub tokens

SC Media · scworld.com · 2026-03-17 23:49 UTC

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

bleepingcomputer_all · bleepingcomputer.com · 2026-03-17 21:42 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SC Media (1)
bleepingcomputer_all (1)

Top origin domains (this list)

scworld.com (1)
bleepingcomputer.com (1)