GlassWorm's Solana C2: How a Supply-Chain Monster Turned the Blockchain Into a Dead Drop

Supply-chain attacks aren't new. But GlassWorm is doing something we haven't seen at this scale: weaponizing the Solana blockchain itself as command-and-control infrastructure — making its C2 effectively untakedownable while targeting the very developers who build on it. Between January and March 2026, GlassWorm compromised 433+ components across GitHub, npm, VSCode, and OpenVSX. The campaign steals crypto wallet data, SSH keys, and developer credentials. And its C2 channel? Transaction memos on the Solana blockchain. Let's break down how it works, why it matters for DeFi security, and what you can do about it. The Attack Chain Stage 1: Compromise Developer Accounts GlassWorm starts by compromising GitHub accounts — likely through credential stuffing or token theft from previous infections. Once inside, attackers force-push malicious commits to legitimate repositories. The commits are crafted to look normal: documentation tweaks, version bumps, small refactors. Security researchers at