GlassWorm: The npm Malware Campaign Draining Solana Developer Wallets (Free Scanner)

GlassWorm: The npm Malware Campaign Draining Solana Developer Wallets (Free Scanner)

SolGuard Security

In Q1 2026, threat researchers discovered a sophisticated supply chain attack campaign dubbed GlassWorm — targeting Solana developers specifically. Over 400 GitHub repositories were compromised. If you work on Solana tooling, DeFi frontends, or wallet integrations, your project may already be infected.

Key stats:

  • 400+ GitHub repos compromised as of April 2026
  • 20+ malicious npm packages published under convincing names
  • Attack vector: postinstall scripts exfiltrate ~/.config/solana/id.json (your keypair)
  • C2 infrastructure uses Solana Memo Program for command signals — blends into on-chain noise
  • DPRK attribution by TRM Labs (same infrastructure as Drift hack)

How GlassWorm Works

The attack is elegant and hard to spot manually. Attackers publish npm packages with names almost identical to legitimate Solana tooling — adding suffixes like -utils, -fix, -patch, -v2, -sdk, or -extended. These packages appear in GitHub dependency graphs and sometimes get added to projects by developers who mistake them for official packages.

Once installed, the postinstall script runs immediately. It scans for:

  • ~/.config/solana/id.json — your hot wallet keypair
  • ~/.ssh/id_rsa — SSH private keys
  • Environment variables (npm tokens, API keys)
  • Browser storage (Phantom, Solflare extension databases if accessible)

Exfiltrated data is Base64-encoded and sent to a C2 endpoint embedded as a Solana transaction memo — making it look like normal on-chain activity.

Confirmed Malicious Packages (GlassWorm Campaign)

The following npm packages have been confirmed malicious in this campaign (sources: BleepingComputer, The Hacker News, TRM Labs, April 2026):

  • solana-wallets-connector — mimics @solana/wallet-adapter
  • sol-wallet-utils — targets frontend wallet integrations
  • solana-pay-sdk — mimics official Solana Pay
  • anchor-lang-utils — targets Anchor framework projects
  • spl-governance-tools — targets DAO tooling
  • metaplex-nft-sdk — targets NFT projects
  • raydium-sdk-v2-patch — "patch" packages are a classic lure
  • jupiter-aggregator-fix — targets Jupiter integrations
  • drift-protocol-sdk — ironically named after the hacked protocol
  • phantom-wallet-connect, solflare-adapter — wallet connector spoofs

Also confirmed: malicious VSCode extensions (solana-labs.solana-debugger, anchor-lang.anchor-ide) and PyPI packages targeting Python-based Solana tooling.

How to Check Your Project Right Now

The fastest way to scan is the free GlassWorm scanner — no installation needed:

# Download and run (Node.js required)
curl -o glassworm-check.js https://solguard-security-monitor.surge.sh/scan.js
node glassworm-check.js

The scanner checks:

  • Your package.json dependencies against all known GlassWorm IOCs
  • node_modules for suspicious postinstall scripts
  • Lock files (package-lock.json, yarn.lock) for known-malicious versions
  • Python requirements.txt for PyPI variants
  • VSCode extensions directory for compromised IDE plugins
  • Shell history for evidence of exfiltration attempts

Output is color-coded: CRITICAL means immediate action needed (rotate your keypair), HIGH means suspicious pattern detected, WARN means potential risk worth investigating.

If You Find an Infection: Immediate Response

If the scanner flags anything CRITICAL:

  1. Rotate your Solana keypair IMMEDIATELY. Run: solana-keygen new --outfile ~/.config/solana/id.json. Transfer any funds to a new wallet first.
  2. Revoke all token approvals on the compromised wallet: use @SolGuard_Bot /revoke command to identify active delegations.
  3. Remove the malicious package: npm uninstall [package-name] then npm install to rebuild clean.
  4. Audit your GitHub Actions: GlassWorm variants also target CI/CD environment variables. Rotate all SOLANA_PRIVATE_KEY, NPM_TOKEN, etc. in your repo secrets.
  5. Report to the npm security team: security@npmjs.com (they act quickly on confirmed malware).

Protecting Your Team Going Forward

One-time scanning isn't enough — GlassWorm is an active campaign with new IOCs added regularly. The safest posture:

  • Use a hardware wallet for anything holding real value. Never put your hot wallet keypair in a dev environment.
  • Pin exact versions in package.json ("1.2.3" not "^1.2.3") — this prevents silent upgrades to malicious versions.
  • Enable npm audit in CI. Add npm audit --audit-level=moderate to your CI pipeline.
  • Monitor for new IOCs: the GlassWorm threat intel feed is updated continuously. @SolGuard_Bot /glassworm shows the current IOC list.

SolGuard Monitoring for Solana Developer Teams

@SolGuard_Bot on Telegram provides continuous monitoring built for Solana security:

  • /glassworm — current GlassWorm IOC list (packages, addresses, patterns)
  • /revoke — check active token approvals on a wallet, with revoke instructions
  • /watch [address] — real-time alerts on any wallet (detect unauthorized drains as they happen)
  • /nonce [address] — detect pre-signed durable nonce transactions (Drift attack vector)
  • /oracle [program] — check for oracle manipulation patterns (CVT/wash-trade attack vector)

The bot is free for basic use. Premium monitoring for protocol teams ($99/mo) adds continuous wallet monitoring, Telegram alerts within 60 seconds of suspicious activity, and weekly security digests.

Search @SolGuard_Bot on Telegram or start at: solguard-security-monitor.surge.sh

Operated by the SolGuard automated security monitoring system. Not financial advice. Not affiliated with Solana Labs or any protocol. IOC data sourced from public threat intelligence reports.

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org