Malware Now Uses Blockchain for Command and Control
Sophisticated malware campaign uses invisible Unicode characters and Solana blockchain transactions to evade detection and communicate with attackers.
Written by AI. Samira Okonkwo-Barnes
March 24, 2026
Photo: Low Level / YouTube
The open-source software world runs on trust. That trust is being turned into a weapon -- and anyone who writes code should pay attention.
Security researchers found a malware campaign called Glassworm. It exploits two things developers take for granted: that code looks right in text editors, and that real infrastructure can't be hijacked for shady purposes.
Both of those beliefs are wrong.
The Invisible Payload
The attack starts with code you simply can't see. Malware authors hide harmful JavaScript in npm packages and VS Code extensions. They use Unicode variation selectors -- characters in the Unicode spec that show up as nothing. Zero width. Invisible.
Open the infected file in VS Code, Vim, or GitHub's web view. You'll see clean code with maybe some odd gaps between lines. What you won't see is thousands of characters of malicious code hiding in those gaps.
As Low Level, the security researcher, explains: "If you were to open a file like this in VS Code or I think even Vim in some cases, this piece of code would not render as anything. And I think even in a GitHub commit, you wouldn't see any code inside this block."
The delivery method is simple once the hiding works. A loader strips the Unicode markers and feeds the revealed code to eval(). This runs any command on the target machine. The trick isn't in running the code. It's in making the payload invisible to human eyes.
Blockchain as Communications Infrastructure
What sets Glassworm apart from typical supply chain attacks is how it talks to its controllers. Instead of standard command-and-control servers that can be shut down or blocked, the malware uses the Solana blockchain to relay orders.
This isn't a crypto gimmick. It's a smart abuse of blockchain's core traits:
Permanence: Once a transaction hits Solana's blockchain, it can't be erased or changed. The instructions live on forever, spread across the global network.
Built-in anonymity: Blockchain wallets need no identity checks. Tracing the attacker becomes nearly impossible.
Normal-looking traffic: Solana transactions are legal, widely used financial activity. Blocking all Solana traffic would also block real business.
Tiny cost: Each command costs a fraction of a cent to send.
The malware bakes attacker wallet addresses into its payload. When it runs, it starts a Solana transaction. To network monitors, this looks like normal crypto activity. It then pulls command server URLs from the transaction data. Those URLs point to the real payload.
"I didn't know you could communicate over crypto. I didn't realize you could like send messages," Low Level notes. That gap in knowledge isn't just his. It likely exists in many corporate security teams.
After Infection: Botnet Recruitment
The malware doesn't stop at stealing data. After grabbing credentials and encrypting the haul with AES-256-CBC, it uses a Google Calendar invite to download a second payload. That payload turns the infected machine into a proxy server. Yes, a calendar invite.
Victims become unwitting members of a criminal network. Their computers relay traffic and hide the true source of later attacks. Meanwhile, stolen GitHub tokens let the malware spread into Python repos. It targets Django apps, machine learning projects, and pip packages.
This self-copying method echoes the earlier Shy Hound campaign. That one infected npm maintainers to plant backdoors that spread with each update. Glassworm uses the same playbook across both JavaScript and Python.
Known infected packages include React Native International Phone Number and React Native Country Select. The malware skips Russian-language systems. That's a geographic hint that narrows down who might be behind it, though it doesn't confirm anything.
The Trust Problem That Can't Be Solved
The hard truth behind this campaign is baked into how we build software. Modern development means pulling in dozens or hundreds of outside packages. No team can review every line of code in every one.
"Unfortunately, the nature of like the Python, Node, and Open VSX like marketplace ecosystem is that you don't read like over half the code you use, which is like kind of terrifying," Low Level says. "A lot of it is dependent on trust."
That trust rests on proxy signals: GitHub stars, download counts, publisher reputation. But all of these can be faked. Star counts can be pumped up. Download numbers can be spoofed. Real maintainers can have their logins stolen.
The usual advice -- check packages before installing, look for red flags, verify the publisher -- assumes a level of care that doesn't match real work. Dependencies get added during deadline crunches. They come in through framework requirements. They get inherited from starter templates.
What Actually Works
Real defenses exist. But they need to go beyond trusting each developer to stay alert. They require system-level choices:
Static analysis tools: Automated scans can catch patterns like self-decoding strings passed to eval(). These red flags are detectable. The question is whether your build pipeline has the tools to spot them.
Zero trust design: Assume a breach will happen. Then limit what an attacker can reach. Network segmentation, least-privilege access, and multi-factor login on key actions like code commits all shrink the damage when credentials get stolen.
Dependency pinning and hash checks: Lock files and cryptographic hashes make sure that even if a package is hijacked after you install it, updates need your explicit approval.
Network monitoring: Blocking Solana transactions may not be practical. But watching for odd blockchain activity from dev machines can flag infections early.
None of these ideas are new. They've been best practices for years. The real weak point is the gap between knowing what to do and actually doing it.
The Glassworm campaign shows that malware authors know developer habits, trust patterns, and infrastructure limits better than many security teams. They're not exploiting unknown flaws. They're exploiting the known gap between how software should be built and how it really is.
Samira Okonkwo-Barnes is Buzzrag's tech policy and regulation correspondent.
Watch the Original Video
malware is getting way too advanced
Low Level
8m 0sAbout This Source
Low Level
Low Level is a significant presence in the cybersecurity discourse on YouTube, boasting nearly 990,000 subscribers. Since its inception in October 2025, the channel has become a hub for insightful and detailed analyses of cybersecurity and software security issues, appealing to both industry professionals and tech enthusiasts.
Read full source profileMore Like This
Appwrite vs Firebase: Open-Source Alternative Gains Ground
Developers are switching to Appwrite for backend services. Here's what the open-source Firebase alternative offers—and what it doesn't.
Reverse Engineering: Cracking Software and Policy Challenges
Exploring reverse engineering, its implications, and the evolving policy challenges.
Why Hackers Are Ditching Stolen Passwords for Apps
Public-facing app exploits surged 44% while credential theft dropped. IBM's new threat report reveals what's driving the shift—and why it matters.
How Synthetic Data Generation Solves AI's Training Problem
IBM researchers explain how synthetic data generation addresses privacy, scale, and data scarcity issues in AI model training workflows.