Security experts at Bkav Group estimate that tens of thousands of programmers' computers have been infected with GlassWorm. The attack created a chain reaction: hackers turned these devices into springboards to penetrate corporate internal networks, manipulate source code, and then automatically replicate and spread the virus exponentially throughout the entire global software supply chain, including Vietnam.
This attack campaign did not focus on directly exploiting software vulnerabilities. Instead, hackers used stolen accounts and access tokens to inject malicious code into legitimate source code shared by programmers on code repositories and software utility platforms.
Malicious changes are made under the guise of legitimate accounts or disguised with source code update (commit) history information including author, content, and contribution time, similar to legitimate updates, making them appear normal and difficult to detect visually or through preliminary checks.
“Hackers directly embed malicious commands into ‘invisible’ Unicode characters in the code, turning seemingly empty lines of text into covert attack tools. When viewed with the naked eye or during preliminary checks, the code appears completely normal. This makes it difficult for both programmers and traditional testing tools to detect any anomalies,” said Nguyen Dinh Thuy, a malware expert at Bkav.
Besides injecting malware into source code repositories, GlassWorm also uses "invisible" Unicode character injection techniques in some attack methods to bypass automated verification systems. Instead of using conventional servers that are easily detected and shut down, this campaign exploits the Solana blockchain network to store and transmit control commands. This makes the hacker's system decentralized and extremely difficult to stop. Simultaneously, the malware alternates between at least six C2 server IP addresses to maintain communication and conceal its activity.
When activated, the malware steals sensitive data such as cryptocurrency wallets, SSH security keys, access authentication codes, and programmer system information, thereby further expanding its penetration into the organization's systems. In particular, this attack has spread to the daily work environment of programmers, through development tools, extensions, or dependent code segments embedded with malware.
In Vietnam, platforms like GitHub and npm are widely used in product development, from web and mobile applications to enterprise systems. If a popular library is injected with malware, the risk can spread to many domestic software projects and enterprise systems through the dependencies used by programmers. Bkav advises programmers and technology organizations to: Pin versions and disable automatic updates for libraries and extensions to prevent cross-infection through new updates. Integrate automated code scanning tools directly into the IDE or CI/CD stream for continuous scanning and early detection of obfuscated code or hidden characters. For source code repositories, mandatory multi-factor authentication (MFA) and minimum authorization principles are required; force-push functionality is disabled on critical branches. Ensure 100% of endpoints are equipped with professional antivirus software, and combine it with advanced EDR/XDR solutions to create a double layer of defense, specifically targeting stealth malware or malware that doesn't leave file records…
Source: https://www.sggp.org.vn/glassworm-tan-cong-chuoi-cung-ung-phan-mem-post844638.html
![[Image] The appearance of the Bien Hoa-Vung Tau expressway before its opening.](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2026/03/25/1774430324663_ndo_br_2-resize-6064-jpg.webp)
Comment (0)