Lead Story | Critical | Developers · Cloud & DevOps · Enterprise |
|
GlassWorm Hijacks 150+ GitHub Repos — Your AI Pipeline May Already Be Compromised
Stolen tokens. Force-pushed payloads. ML research code, Django apps, and PyPI packages all targeted in an ongoing multi-ecosystem supply chain attack.
The GlassWorm campaign is not theoretical. Between March 3 and March 9, attackers used stolen GitHub tokens to compromise over 150 repositories — including Django applications, ML research code, Streamlit dashboards, and PyPI packages — by force-pushing obfuscated malware into files like setup.py, main.py, and app.py. The original commit messages, authors, and dates were preserved. From the outside, nothing looks different.
The payload is Base64-encoded and appended to the end of Python files. It checks whether the system locale is set to Russian — if so, it skips execution. Otherwise, it queries a Solana wallet’s transaction memo field to extract the actual C2 URL. The campaign has expanded beyond GitHub to npm and the VS Code marketplace, with Aikido reporting 72 malicious Open VSX extensions and 151 compromised GitHub repos using invisible Unicode obfuscation.
If your organisation runs AI or ML pipelines with loosely pinned Python dependencies sourced from GitHub, audit now. Check git log for unexpected force-pushes on default branches after March 3. Review setup.py and app.py for appended Base64 blocks. Rotate any GitHub tokens that may have been exposed in prior VS Code extension compromises.
→ Key Takeaway Audit any Python dependency sourced from GitHub. GlassWorm is an active, multi-ecosystem supply chain attack targeting developer toolchains — including AI/ML pipelines. Check git history for force-pushes after March 3. Rotate exposed tokens. Pin dependencies to verified commits, not branches. |
Quick Hits
| 01 |
PleaseFix — Agentic Browsers Can Be Hijacked via Calendar Invites
Zenity Labs disclosed PleaseFix, a family of vulnerabilities in agentic browsers including Perplexity Comet. A benign calendar invitation triggers zero-click agent hijacking — enabling file system exfiltration and credential theft from password managers, all without further user interaction. Perplexity patched before public disclosure, but the vulnerability class applies to any agentic browser granting tool access to untrusted content. Zenity Labs →
| High | Developers · Enterprise |
|
| 02 |
Iran-Linked Handala Claims Wiper Attack on MedTech Giant Stryker
The MOIS-affiliated group Handala claimed a destructive wiper attack on Stryker, the US medical equipment manufacturer, reportedly erasing data from over 200,000 systems across 79 countries by compromising the company’s Microsoft Intune account. The attack disrupted Lifenet, an IT system used by emergency responders to transmit patient data to hospitals. CISA has launched an investigation. Krebs on Security →
|
CVE Watch
|
Patch of the Day
| CVE-2026-3909 | & | CVE-2026-3910 | CVSS 8.8 |
Google Chrome — Skia OOB Write + V8 Inappropriate Implementation
Two actively exploited zero-days patched in Chrome 146.0.7680.80 on March 13. CVE-2026-3909 is an out-of-bounds write in Skia (Chrome’s rendering engine) that can escape sandbox protections. CVE-2026-3910 is an inappropriate implementation in V8 enabling code execution via a crafted webpage. Both confirmed exploited in the wild. CISA added both to KEV with a March 27 patch deadline. Update Chrome now.
| Vendor: Google · Patched: Mar 13 · CISA KEV: Yes · Exploited: Confirmed |
|
|
