Campaigns
GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

Transitive GlasswormOpen SourceDependency Attack
The Transitive Glassworm campaign is a sophisticated cyber attack targeting open-source software repositories, exploiting transitive dependencies to inject malicious code.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

ID Name Analytic ID  Analytic Description
DS0009 Process Process Creation Monitor for unusual process creation activities that may indicate exploitation of public-facing applications, such as unexpected web server processes.
DS0029 Network Traffic Network Connection Creation Analyze network traffic for anomalies in web protocol usage, such as unusual HTTP/S requests that could indicate command and control activity.
DS0017 File File Modification Monitor for unauthorized modifications to software supply chain components, such as unexpected changes to source code repositories.
DET0571 AN1575

Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.

Log Sources
Data Component Name Channel
Service Creation (DC0060) WinEventLog:Security EventCode=4697
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
ServiceNamePattern Regex patterns to flag unusual service names or binaries
ParentProcessFilter List of non-administrative processes starting service management tools
RegistryPathList Monitored autorun locations (e.g., `HKLM\System\CurrentControlSet\Services`)

Observed Countries3

DE (179)
GB (193)
US (763)