
GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
Transitive GlasswormOpen SourceDependency Attack
The Transitive Glassworm campaign is a sophisticated cyber attack targeting open-source software repositories, exploiting transitive dependencies to inject malicious code.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DS0009 | Process | Process Creation | Monitor for unusual process creation activities that may indicate exploitation of public-facing applications, such as unexpected web server processes. |
| DS0029 | Network Traffic | Network Connection Creation | Analyze network traffic for anomalies in web protocol usage, such as unusual HTTP/S requests that could indicate command and control activity. |
| DS0017 | File | File Modification | Monitor for unauthorized modifications to software supply chain components, such as unexpected changes to source code repositories. |
DET0571
AN1575
Log Sources
Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=4697 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Field | Description |
|---|---|
| ServiceNamePattern | Regex patterns to flag unusual service names or binaries |
| ParentProcessFilter | List of non-administrative processes starting service management tools |
| RegistryPathList | Monitored autorun locations (e.g., `HKLM\System\CurrentControlSet\Services`) |
Observed Countries3
DE (179)
GB (193)
US (763)