Glassworm hid credential theft in Unicode
The March 2026 Glassworm wave used invisible PUA Unicode, Solana dead drops, staged loaders, and compromised official repositories to hide credential theft inside JavaScript packages, VS Code extensions, and GitHub source trees.
Story
Glassworm made source text itself part of the delivery system. In March 2026, the operators hid JavaScript inside invisible Unicode characters, so a reviewer could open the file, see a harmless-looking string, and miss the executable payload entirely. The loader reversed that trick at runtime, decoded the hidden bytes, and handed them to JavaScript for execution.
The first March cluster was mostly a source-repository problem. Aikido found more than 150 GitHub repositories carrying Glassworm-like commits, including the more visible pedronauck/reworm repository. That gave the campaign a quiet staging surface: poisoned code could sit in public trees, pass casual review, and later reach developers who cloned, forked, or vendored the affected projects.
The second cluster moved through official distribution channels. Aikido connected npm packages such as react-native-country-select, react-native-international-phone-number, @aifabrix/miso-client, and @iflow-mcp/watercrawl-watercrawl-mcp, plus the quartz.quartz-markdown-editor VS Code extension. Some artifacts were registry releases with versions and download paths; others were repository commits. The individual attack records keep those trust boundaries separate.
The payload family focused on developer credentials and execution context. Reports describe staged loaders, Solana-based dead drops, environment-aware execution, and theft from the places a developer workstation or CI runner naturally exposes: tokens, cloud credentials, package-registry secrets, and local configuration files.
The campaign matters because the concealment method attacked the review process itself. Package maintainers could compare a diff and still miss the working code. Security teams had to search for invisible characters, not just suspicious strings, and then map each hit back to the distribution surface that could have put it on a machine.
Linked Attacks
2026
An attacker controlling the astroonauta npm account published malicious react-native-international-phone-number releases without matching GitHub releases, tags, or workflow runs.
The astroonauta npm account takeover also compromised react-native-country-select, a direct dependency of react-native-international-phone-number.
The Glassworm threat actor published malicious versions of @iflow-mcp/watercrawl-watercrawl-mcp with payloads hidden by invisible Unicode characters.
quartz.quartz-markdown-editor 0.3.0 carried Glassworm's invisible Unicode loader. The VS Code extension was part of the March 2026 multi-ecosystem wave.
Glassworm published @aifabrix/miso-client 4.7.2 with invisible Unicode JavaScript. The code looked empty in review but decoded to malware at runtime.
The Glassworm threat actor compromised the pedronauck/reworm GitHub repository and blended malicious code into realistic-looking commits.
Campaign Context
- Actor
- Third Party
- Attribution
- Group
- Cause
- Unknown
Affected Packages
Notes
- Aikido reported react-native-country-select and react-native-international-phone-number had 29,763 combined weekly downloads and 134,887 combined monthly downloads on March 16, 2026; these download counts are context, not confirmed infection counts.
- Aikido reported 151 GitHub repositories with Glassworm-like Unicode payloads in the March 2026 wave; this campaign groups that broader source-repository scope without creating one record per small repository.
- Notable repositories named by Aikido include pedronauck/reworm, doczjs/docz-plugin-css, wasmer-examples/hono-wasmer-starter, anomalyco/opencode-bench, uknfire/theGreatFilter, and sillyva/rpg-schedule.
External References
Source record: oss/campaigns/glassworm-march-2026/meta.yaml