Edited by humans. Written by AI. How our editing works
All articles

Malware Now Uses Blockchain for Command and Control

Sophisticated malware campaign uses invisible Unicode characters and Solana blockchain transactions to evade detection and communicate with attackers.

Samira Barnes

Written by AI. Samira Barnes

March 24, 20265 min read
Share:
A skeptical programmer with glasses sits next to Python code with a large red arrow pointing at it against a dark background

Photo: Low Level / YouTube

The open-source software world runs on trust. That trust is being turned into a weapon -- and anyone who writes code should pay attention.

Security researchers found a malware campaign called Glassworm. It exploits two things developers take for granted: that code looks right in text editors, and that real infrastructure can't be hijacked for shady purposes.

Both of those beliefs are wrong.

The Invisible Payload

The attack starts with code you simply can't see. Malware authors hide harmful JavaScript in npm packages and VS Code extensions. They use Unicode variation selectors -- characters in the Unicode spec that show up as nothing. Zero width. Invisible.

Open the infected file in VS Code, Vim, or GitHub's web view. You'll see clean code with maybe some odd gaps between lines. What you won't see is thousands of characters of malicious code hiding in those gaps.

As Low Level, the security researcher, explains: "If you were to open a file like this in VS Code or I think even Vim in some cases, this piece of code would not render as anything. And I think even in a GitHub commit, you wouldn't see any code inside this block."

The delivery method is simple once the hiding works. A loader strips the Unicode markers and feeds the revealed code to eval(). This runs any command on the target machine. The trick isn't in running the code. It's in making the payload invisible to human eyes.

Blockchain as Communications Infrastructure

What sets Glassworm apart from typical supply chain attacks is how it talks to its controllers. Instead of standard command-and-control servers that can be shut down or blocked, the malware uses the Solana blockchain to relay orders.

This isn't a crypto gimmick. It's a smart abuse of blockchain's core traits:

Permanence: Once a transaction hits Solana's blockchain, it can't be erased or changed. The instructions live on forever, spread across the global network.

Built-in anonymity: Blockchain wallets need no identity checks. Tracing the attacker becomes nearly impossible.

Normal-looking traffic: Solana transactions are legal, widely used financial activity. Blocking all Solana traffic would also block real business.

Tiny cost: Each command costs a fraction of a cent to send.

The malware bakes attacker wallet addresses into its payload. When it runs, it starts a Solana transaction. To network monitors, this looks like normal crypto activity. It then pulls command server URLs from the transaction data. Those URLs point to the real payload.

"I didn't know you could communicate over crypto. I didn't realize you could like send messages," Low Level notes. That gap in knowledge isn't just his. It likely exists in many corporate security teams.

After Infection: Botnet Recruitment

The malware doesn't stop at stealing data. After grabbing credentials and encrypting the haul with AES-256-CBC, it uses a Google Calendar invite to download a second payload. That payload turns the infected machine into a proxy server. Yes, a calendar invite.

Victims become unwitting members of a criminal network. Their computers relay traffic and hide the true source of later attacks. Meanwhile, stolen GitHub tokens let the malware spread into Python repos. It targets Django apps, machine learning projects, and pip packages.

This self-copying method echoes the earlier Shy Hound campaign. That one infected npm maintainers to plant backdoors that spread with each update. Glassworm uses the same playbook across both JavaScript and Python.

Known infected packages include React Native International Phone Number and React Native Country Select. The malware skips Russian-language systems. That's a geographic hint that narrows down who might be behind it, though it doesn't confirm anything.

The Trust Problem That Can't Be Solved

The hard truth behind this campaign is baked into how we build software. Modern development means pulling in dozens or hundreds of outside packages. No team can review every line of code in every one.

"Unfortunately, the nature of like the Python, Node, and Open VSX like marketplace ecosystem is that you don't read like over half the code you use, which is like kind of terrifying," Low Level says. "A lot of it is dependent on trust."

That trust rests on proxy signals: GitHub stars, download counts, publisher reputation. But all of these can be faked. Star counts can be pumped up. Download numbers can be spoofed. Real maintainers can have their logins stolen.

The usual advice -- check packages before installing, look for red flags, verify the publisher -- assumes a level of care that doesn't match real work. Dependencies get added during deadline crunches. They come in through framework requirements. They get inherited from starter templates.

What Actually Works

Real defenses exist. But they need to go beyond trusting each developer to stay alert. They require system-level choices:

Static analysis tools: Automated scans can catch patterns like self-decoding strings passed to eval(). These red flags are detectable. The question is whether your build pipeline has the tools to spot them.

Zero trust design: Assume a breach will happen. Then limit what an attacker can reach. Network segmentation, least-privilege access, and multi-factor login on key actions like code commits all shrink the damage when credentials get stolen.

Dependency pinning and hash checks: Lock files and cryptographic hashes make sure that even if a package is hijacked after you install it, updates need your explicit approval.

Network monitoring: Blocking Solana transactions may not be practical. But watching for odd blockchain activity from dev machines can flag infections early.

None of these ideas are new. They've been best practices for years. The real weak point is the gap between knowing what to do and actually doing it.

The Glassworm campaign shows that malware authors know developer habits, trust patterns, and infrastructure limits better than many security teams. They're not exploiting unknown flaws. They're exploiting the known gap between how software should be built and how it really is.

Samira Okonkwo-Barnes is Buzzrag's tech policy and regulation correspondent.

From the BuzzRAG Team

We Watch Tech YouTube So You Don't Have To

Get the week's best tech insights, summarized and delivered to your inbox. No fluff, no spam.

Weekly digestNo spamUnsubscribe anytime

More Like This

Man in blue shirt holding a sandwich with GitHub logo on his forehead against dark background with "Open Source Hidden…

Seven Open-Source AI Tools Changing Development in 2026

From prompt testing to guardrail removal, these seven open-source AI tools represent a significant shift in how developers build—and what that means for security.

Rachel "Rach" Kovacs·4 months ago·6 min read
A bearded warrior figure in golden helmet and armor stands beside white and red text reading "AXIOS HACK" with "The Code…

Axios RAT Attack: What Happened and How to Check If You're Hit

A sophisticated remote access trojan infiltrated Axios through a rogue dependency. Here's how the attack worked and what developers need to do now.

Yuki Okonkwo·4 months ago·6 min read
Arrow pointing from colorful app icons to a pink "G" letter on black background with "REPLACED" text at top

Appwrite vs Firebase: Open-Source Alternative Gains Ground

Developers are switching to Appwrite for backend services. Here's what the open-source Firebase alternative offers—and what it doesn't.

Samira Barnes·4 months ago·6 min read
Man in black shirt gesturing while speaking, with code and data visualizations in background, "think series" logo and…

IBM's 2026 Threat Report: Cybersecurity Got Worse

IBM's latest threat intelligence index reveals alarming trends: 56% of vulnerabilities need zero authentication, ransomware groups up 49%, and AI is changing everything.

Zara Chen·5 months ago·6 min read
Four podcast panelists discuss the 2026 Security Intelligence Threat Intelligence Index against a backdrop of bookshelves…

Why Hackers Are Ditching Stolen Passwords for Apps

Public-facing app exploits surged 44% while credential theft dropped. IBM's new threat report reveals what's driving the shift—and why it matters.

Marcus Chen-Ramirez·5 months ago·6 min read
Woman presenting in front of a blackboard with diagrams, promoting the "think series" episode on using synthetic data to…

How Synthetic Data Generation Solves AI's Training Problem

IBM researchers explain how synthetic data generation addresses privacy, scale, and data scarcity issues in AI model training workflows.

Samira Barnes·5 months ago·6 min read
Smartphone displaying YouTube's time management settings for Shorts feed limits, with blue-to-pink gradient background and…

YouTube Lets Users Finally Kill Shorts Feed—With Caveats

YouTube now allows users to set a zero-minute daily limit on Shorts, effectively removing them from feeds. Here's what the feature actually does—and doesn't—do.

Samira Barnes·3 months ago·5 min read
Yellow "POWER BI" text with arrow pointing to red chat bubble icon containing a bar chart graphic on dark background

Redash: The Open-Source BI Tool Built for SQL, Not Scale

Redash offers developers a SQL-first alternative to Tableau and Power BI. But its design choices reveal competing visions for who should own analytics.

Samira Barnes·3 months ago·5 min read

RAG·vector embedding

2026-04-15
1,288 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.