22. March 2026 | Print article |

Software Supply Chain Under Fire: How GlassWorm Compromised 400+ Developer Tools

5 min Reading Time

454,648 new malicious packages identified in open-source registries in 2025 alone – 75 percent more than the previous year. And in March 2026, the GlassWorm campaign revealed just how industrialized software supply chain attacks have become: 433 compromised components in a single week, hidden using invisible Unicode characters and AI-generated cover commits. For companies that don’t systematically monitor their open-source dependencies, their own development environment has become a backdoor.

TL;DR

  • 454,648 new malicious packages identified in open-source registries in 2025, with over 1.2 million known malware packages cumulatively (Sonatype, January 2026).
  • GlassWorm compromised over 433 components in March 2026: 72 VS Code extensions, 88 npm packages, 151+ GitHub repositories (Aikido Security / BleepingComputer).
  • 75 percent growth in open-source malware, downloads rising to 9.8 trillion (Sonatype 2026 Report).
  • 65 percent of all open-source CVEs lack a CVSS score from the NVD – creating a massive assessment gap (Sonatype 2026).
  • NIS2 explicitly mandates supply chain risk management. The BSI has defined the SBOM requirement as a foundation via TR-03183-2.

GlassWorm: Anatomy of an Industrialized Attack

In March 2026, security researchers from Aikido Security uncovered one of the most sophisticated supply chain campaigns to date. The operation, dubbed GlassWorm, compromised over 433 software components in less than two weeks: 72 Visual Studio Code extensions in the Open VSX Marketplace, 88 npm packages, and more than 151 GitHub repositories.

What made GlassWorm stand out wasn’t just the volume – but the method. Attackers used invisible Unicode characters – known as variation selectors and private-use area codes – to hide malicious code within source files. To human reviewers, the code appeared clean. Only automated byte-sequence analysis revealed the hidden payloads.

Adding to the deception were AI-generated “cover commits” – harmless-looking code changes designed to obscure the actual malicious code in the commit history. Communication with command-and-control servers occurred via the Solana blockchain, with Google Calendar as a fallback channel. Traditional network monitoring tools fail to detect such traffic because it flows through legitimate services.

454,648
new malicious packages in open-source registries (2025)
Source: Sonatype, State of the Software Supply Chain Report 2026

The objectives: harvesting npm, GitHub, and Git configuration credentials, draining cryptocurrency wallets, and installing persistent backdoors into developers’ environments. Anyone who installed a compromised VS Code extension granted attackers full access to their entire workstation – including all stored login credentials.

The Industrialization of the Software Supply Chain as an Attack Surface

GlassWorm is no isolated incident. According to the Sonatype “State of the Software Supply Chain Report 2026”, over 454,648 new malicious packages were identified in open-source registries like npm, PyPI, and Maven Central in 2025 alone – a 75 percent increase from the previous year. Cumulatively, more than 1.2 million known malware packages are now documented.

Attack methods have fundamentally evolved. While supply chain attacks a few years ago were typically carried out by individual actors exploiting typos in package names (typosquatting), today’s operations are conducted by state-backed groups using industrial-scale techniques. In 2025, the Lazarus Group (North Korea) deployed multi-stage payload chains, where a single tampered package triggered a cascade of five additional malicious components.

The “Shai-Hulud” incident marks another turning point: the first self-replicating npm worm, which created over 500 new packages in the registry within days. Now, 55.9 percent of all documented malicious packages use repository abuse as their primary distribution method – registries are being systematically exploited like advertising platforms.

Brian Fox, CTO of Sonatype, sums up the situation: Open source is now production infrastructure, attackers know it, and AI is accelerating the entire system. Trust must keep pace with the machine speed of software – requiring automated protections embedded in workflows, not just post-hoc reports (Sonatype, State of the Software Supply Chain Report 2026).

Why Traditional Security Concepts Fail

Three structural issues make defending against supply chain attacks particularly difficult:

The NVD Assessment Gap: According to Sonatype, 65 percent of all open-source CVEs lack a CVSS score from the National Vulnerability Database (NVD). Vulnerability scanners relying solely on NVD data are therefore systematically blind to a large portion of known vulnerabilities. Companies relying exclusively on automated scans are lulled into a false sense of security.

Developer Workstations as Blind Spots: IDE extensions are rarely monitored by IT security teams in most organizations. The GlassWorm campaign specifically targeted this blind spot: VS Code extensions have extensive host system permissions but are seldom treated like software installations. In March 2026, Microsoft additionally warned about AI assistant extensions stealing chat histories from Copilot and other LLM tools.

AI vs. Manual Code Reviews: When attackers use AI-generated cover commits, manual code reviews are no longer sufficient. The speed at which new malicious packages are created and distributed exceeds human analysts’ capacity. Automated detection based on behavioral analysis – not just signature checks – has become mandatory.

65 %
of all open-source CVEs without CVSS score from NVD
Source: Sonatype, State of the Software Supply Chain Report 2026

NIS2 and the Supply Chain Mandate

For companies in Germany, securing the software supply chain is no longer optional. NIS2 explicitly requires supply chain security measures under Article 21. The BSI (Federal Office for Information Security) has defined the SBOM as a mandatory tool through Technical Guideline TR-03183-2.

The consequence: companies must document which open-source components are embedded in their products and internal tools. They must have processes in place to respond quickly when vulnerabilities in these components are disclosed. And they must conduct risk assessments for their critical suppliers – including software vendors.

The IBM X-Force Threat Intelligence Index 2026 confirms the urgency: exploitation of publicly accessible applications rose by 44 percent, largely driven by missing authentication controls and AI-assisted vulnerability discovery by attackers.

Seven Measures Against Supply Chain Attacks

1. Implement extension whitelisting. IDE extensions, browser add-ons, and CLI tools should only be installable from approved lists. VS Code supports this via the “extensions.allowed” setting in enterprise policies.

2. Generate SBOMs for all products and internal tools. Use formats like CycloneDX or SPDX, automatically generated within the CI/CD pipeline. Without an SBOM, you lack visibility into your own dependencies.

3. Enable dependency scanning in the CI/CD pipeline. Tools like Snyk, Grype, or Dependabot automatically check every build for known vulnerabilities in used packages.

4. Use Sigstore verification for critical packages. Sigstore enables cryptographic signing and verification of software artifacts. Tampered packages without valid signatures are automatically blocked.

5. Apply Zero Trust to development environments. Developer workstations require the same security level as production servers: EDR, network segmentation, privileged access control. The era of developer machines being treated as special exceptions is over.

6. Supplement NVD data with commercial threat intelligence. Given the 65 percent gap in CVSS scoring, scanners relying solely on NVD data are insufficient. Services like Sonatype, Snyk, or Tidelift provide more timely and comprehensive vulnerability data.

7. Define an incident response plan for supply chain incidents. Who is responsible when a compromised library is discovered? How quickly can affected systems be identified and patched? These processes must be in place before an incident occurs – not after.

Conclusion

Software supply chain attacks are industrialized in 2026. The GlassWorm campaign demonstrates how attackers simultaneously compromise IDE extensions, npm packages, and GitHub repositories, masked by invisible Unicode characters and AI-generated commits. For IT security leaders, this means: your development environment is no longer trustworthy unless actively secured. NIS2 makes supply chain risk management mandatory, and the BSI provides the SBOM guideline as the essential tool. Those who fail to act now will be caught unprepared by the next GlassWorm.

Frequently Asked Questions

What exactly is a software supply chain attack?

An attack that doesn’t target the organization directly, but instead compromises a software component used by the company. This can include open-source libraries, IDE extensions, build tools, or packages from public registries like npm or PyPI. The malicious code is automatically distributed with the next update or installation.

How can I tell if my company is affected?

Without an SBOM and dependency scanning, the honest answer is: probably not at all. The first step is taking inventory of all open-source components in use. Tools like Grype or Syft can automatically generate SBOMs and cross-check them against known vulnerability databases.

Does a Web Application Firewall protect against supply chain attacks?

No. A WAF protects applications from external network-level attacks. Supply chain attacks originate from within – via compromised dependencies trusted as legitimate. Protection here comes from dependency scanning, SBOM management, and extension whitelisting.

What exactly does NIS2 require for the software supply chain?

Article 21 of the NIS2 directive mandates security measures for the supply chain, including relationships with direct suppliers and service providers. The BSI specifies this in TR-03183-2 through the SBOM requirement. Companies must document which components they use and demonstrate processes for rapid response to vulnerabilities.

How expensive is securing the software supply chain?

For SMEs with an existing CI/CD pipeline, one-time costs range from 10,000 to 30,000 Euro (tooling, SBOM implementation, extension policies), plus ongoing costs for commercial vulnerability databases (2,000-10,000 Euro/year). Without a CI/CD pipeline, costs rise to 40,000-80,000 Euro due to the need to first build the infrastructure.

Further Reading

SBOM Practice Check: Implementing the Software Bill of Materials by September 2026 (SecurityToday)

NIS2 in Germany: What Companies Need to Know and Implement Now (SecurityToday)

AI Phishing: 82 Percent of Attack Emails Generated by Machines (SecurityToday)

NIS2 and the SaaS Supply Chain: The Compliance Gap (cloudmagazin)

More from the MBF Media Network

Container Supply Chain Security: SBOM and Docker Hardening – cloudmagazin

Cyber Resilience Act: What Manufacturers Must Do Now – MyBusinessFuture

CIOs Under Pressure: AI Governance and Compromises – Digital Chiefs

Header Image Source: Pexels / Markus Spiske (px:1089438)

Print article
Benedikt Langer

About the author: Benedikt Langer

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH