
GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
The Transitive Glassworm campaign is a sophisticated cyber attack targeting open-source software repositories, exploiting transitive dependencies to inject malicious code.
Indicators of Compromise
IPv4 (3)
45.32.151.15745.32.150.25170.34.242.255Notes
<div class="content-body"><span class="content-title">CONCLUSION</span><p class="content-description">The Transitive GlassWorm campaign shows a clear shift in software supply chain attacks. Threat actors no longer rely only on direct package compromise. They now use indirect paths such as transitive dependencies and trusted extension ecosystems like Open VSX Registry. This approach increases stealth and makes detection much harder.</p><p class="content-description">Findings from Socket confirm that attackers used obfuscation and dependency chaining to spread malicious code at scale. This created a broad impact across developer environments and CI/CD pipelines. The campaign highlights a key risk. Even trusted packages can become attack vectors through hidden dependency relationships.</p><p class="content-description">From a defensive perspective, organizations must move beyond basic vulnerability scanning. Continuous dependency monitoring, behavioral analysis, and extension-level validation are now essential. Threat intelligence platforms like SOCRadar play an important role here. They provide early warning, attacker infrastructure tracking, and visibility into emerging supply chain threats.</p><p class="content-description">In summary, the GlassWorm campaign underlines a critical reality. Software trust is no longer binary. Security teams must assume that any layer in the dependency chain can be weaponized and act accordingly.</p></div>
Mitigation
<div> <p class="content-description"><strong>M1026 Privileged Account Management</strong></p> <table> <thead> <tr> <th>Domain</th> <th colspan="2">ID</th> <th>Name</th> <th>Use</th> </tr> </thead> <tbody> <tr> <td>Enterprise</td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1548">T1548</a></td> <td><a href="https://attack.mitre.org/techniques/T1548">Abuse Elevation Control Mechanism</a></td> <td> <p>Remove users from the local administrator group on systems.</p> <p>By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.</p> </td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1548/002">.002</a></td> <td><a href="https://attack.mitre.org/techniques/T1548/002">Bypass User Account Control</a></td> <td>Remove users from the local administrator group on systems.</td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1548/003">.003</a></td> <td><a href="https://attack.mitre.org/techniques/T1548/003">Sudo and Sudo Caching</a></td> <td>By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.</td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1548/006">.006</a></td> <td><a href="https://attack.mitre.org/techniques/T1548/006">TCC Manipulation</a></td> <td>Remove unnecessary users from the local administrator group on systems.</td> </tr> <tr> <td>Enterprise</td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1134">T1134</a></td> <td><a href="https://attack.mitre.org/techniques/T1134">Access Token Manipulation</a></td> <td> <p>Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. <a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object">[1]</a> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.<a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token">[2]</a></p> <p>Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.<a href="https://technet.microsoft.com/en-us/library/bb490994.aspx">[3]</a></p> </td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1134/001">.001</a></td> <td><a href="https://attack.mitre.org/techniques/T1134/001">Token Impersonation/Theft</a></td> <td> <p>Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. <a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object">[1]</a> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.<a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token">[2]</a></p> <p>Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.<a href="https://technet.microsoft.com/en-us/library/bb490994.aspx">[3]</a></p> </td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1134/002">.002</a></td> <td><a href="https://attack.mitre.org/techniques/T1134/002">Create Process with Token</a></td> <td> <p>Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. <a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object">[1]</a> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.<a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token">[2]</a></p> <p>Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.<a href="https://technet.microsoft.com/en-us/library/bb490994.aspx">[3]</a></p> </td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1134/003">.003</a></td> <td><a href="https://attack.mitre.org/techniques/T1134/003">Make and Impersonate Token</a></td> <td> <p>Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. <a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object">[1]</a> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.<a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token">[2]</a></p> <p>Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.<a href="https://technet.microsoft.com/en-us/library/bb490994.aspx">[3]</a></p> </td> </tr> <tr> <td>Enterprise</td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1098">T1098</a></td> <td><a href="https://attack.mitre.org/techniques/T1098">Account Manipulation</a></td> <td>Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.</td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1098/001">.001</a></td> <td><a href="https://attack.mitre.org/techniques/T1098/001">Additional Cloud Credentials</a></td> <td>Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.</td> </tr> <tr> <td></td> <td colspan="2"><a href="https://attack.mitre.org/techniques/T1098/002">.002</a></td> <td><a href="https://attack.mitre.org/techniques/T1098/002">Additional Cloud Credentials</a></td> <td></td> </tr> </tbody> </table> </div>