Back

GlassWorm Hits MCP: 5th Wave with New Delivery Techniques

Lotan Sery

March 16, 2026

GlassWorm Strikes Again: Wave 5 Brings Invisible Code to MCP Servers, GitHub Repos, and Hundreds of Extensions.

Five waves. Five months. One relentless threat actor.

We first exposed GlassWorm back in October 2025 - the first self-propagating worm hiding in VSCode extensions using invisible Unicode characters. Since then, we've tracked them through four waves: invisible payloads, a return strike where we accessed their server and found real victims, compiled Rust binaries, and a full pivot to macOS with hardware wallet trojans.

Each time a marketplace took down their extensions, new ones appeared within weeks.

Now they're back. And this time, they've crawled into a place that should worry every developer building with AI tools: MCP servers.

MCP Isn't Dead - But It Already Has Worms In It

A few months ago, we exposed the first malicious MCP package - and it turned out to be just a guy. Opportunistic, unsophisticated, low effort. Now we're seeing a serious, well-resourced threat actor enter the MCP field. That's a different game entirely.

Here's what caught our attention.

Our risk engine flagged a new npm package on March 12:
‍@iflow-mcp/watercrawl-watercrawl-mcp
At first glance, it looked like a legitimate MCP server - proper TypeScript, real dependencies, and even a valid repository link pointing to the original watercrawl-mcp GitHub repo.

Five versions published in a single day - 1.3.0 through 1.3.4. All of them are malicious from the very first release.

We pulled the package apart. The package.json was clean - a near-perfect clone of the real WaterCrawl MCP server. It even shipped with ready-made MCP server configuration JSON, so a developer could drop it straight into their AI coding tool. Search npm for "watercrawl mcp" and you might install the wrong one without thinking twice.

But then we opened src/index.ts - after 26 lines of perfectly normal MCP server setup code, dotenv config, server initialization, SSE transport - we found it. The GlassWorm signature we've been tracking for nearly half a year:

The same decoder. The same invisible Unicode variation selectors. The same technique we documented in Wave 1 - characters that render as empty space in every editor, terminal, and code review tool, but decode into executable JavaScript.

That backtick string passed to s() ? It looks empty. It's not. Thousands of invisible characters hiding a full malicious payload.

Now here's what makes the MCP angle particularly nasty.

For those unfamiliar - MCP (Model Context Protocol) servers are bridges between AI coding assistants like Claude, Cursor, and others, and external services. They let your AI tools crawl the web, query databases, hit APIs. And they run directly on your machine, as a subprocess of your coding tool, with access to your environment variables, API keys, tokens, local filesystem - everything.

A compromised MCP server doesn't need to hunt for credentials. They're handed to it. That's the whole point.

We dug into the package metadata and found push_info.json, which revealed the full supply chain: the attacker forked the legitimate watercrawl-mcp repository to github.com/iflow-mcp/watercrawl-watercrawl-mcp, injected the invisible payload, and published it under a brand new @iflow-mcp scope - a namespace created specifically for this attack. The fork even uses a dedicated branch named "iflow".

This is GlassWorm's first confirmed move into the MCP ecosystem. And given how fast AI-assisted development is growing - and how much trust MCP servers are given by design - this won't be the last.

The Bigger Picture: Wave 5 Across the Board

The MCP package is just one piece. We're not the only ones watching GlassWorm - researchers at Aikido and Socket have been tracking this campaign independently, and their recent findings paint a picture of the most aggressive GlassWorm operation to date.

Here's what the broader wave looks like.

GitHub - Over 150 Repositories Compromised

Between March 3 and 9, GlassWorm pushed the invisible Unicode decoder into over 150 GitHub repositories. Some of them are high-profile: Reworm (1,460 stars), projects from anomalyco (the organization behind OpenCode and SST), a Wasmer starter template, and dozens more.

What makes this scary isn't just the scale - it's the cover story. Each malicious commit comes wrapped in what looks like a normal contribution: a documentation update, a version bump, a small bug fix. The changes are project-specific. They match the coding style of each repository. At 150+ repos, there's no way a human is handcrafting each one. GlassWorm is almost certainly using LLMs to generate convincing camouflage for each injection.

We flagged this exact pattern back in Wave 2 when researchers first noticed AI-generated commits in GitHub repos carrying GlassWorm payloads. Now it's operating at industrial scale.

VS Code and Open VSX - Over 72 New Malicious Extensions

GlassWorm has also flooded the OpenVSX marketplace with over 70 new malicious extensions. The playbook is classic typosquatting - fake versions of popular developer tools. Prettier, ESLint, Flutter plugins, Python tools, icon themes. Even AI tools like Claude Code and Codex got impersonated. Some of these fakes had their download counts pumped into the thousands to look legitimate.

But there's a new trick to this wave that's worth paying attention to.

GlassWorm started abusing the extensionPack and extensionDependencies fields in VSCode manifests. These are legitimate features - they let one extension automatically install others alongside it. The problem? Any extension can declare any other extension as a dependency. No trust relationship required.

So GlassWorm publishes a clean-looking extension. It gains some installs. Then, in a later update, it silently adds a dependency pointing to a separate GlassWorm-linked extension. The editor auto-installs the malicious dependency for every existing user. The malware was never in the extension you reviewed - it was one layer deeper.

This means reviewing an extension once, at installation time, is no longer enough. The malicious component can show up in a version update you never see.

Under the hood, GlassWorm's core playbook hasn't changed: staged JavaScript execution, Russian locale gating, Solana blockchain memos as dead drops for C2 resolution, and in-memory payload execution. The fundamentals that made this campaign hard to kill since Wave 1 are all still there.

What has changed is the operational layer. They've rotated to a new Solana wallet, added new C2 IPs, swapped out their AES loader for heavier RC4 obfuscation, and moved decryption keys out of the extension code entirely - now they're delivered in HTTP response headers controlled by the attacker. Static analysis of the malicious code alone won't give you the full picture anymore.

But they left a trail. Two IPs, 45.32.150.251 and 45.32.151.157, keep showing up across waves, and the C2 is still pulled from a Solana wallet we've been tracking since Wave 4.

Same actor, same infrastructure, same campaign.

The Evolution Pattern

Let's step back and look at what we're dealing with:

Wave 1 (October 2025): Invisible Unicode in OpenVSX extensions, windows-focused, Solana and Google Calendar for C2.

Wave 2 (November 2025): Same technique, more extensions. We accessed the attacker's server - found real victims including a Middle Eastern government entity. Confirmed Russian-speaking threat actor.

Wave 3 (November 2025): Rust binaries instead of Unicode, expanded to Microsoft's official VSCode marketplace.

Wave 4 (December 2025): Platform pivot to macOS, encrypted JavaScript payloads, hardware wallet trojanization and 50,000 downloads.

Wave 5 (March 2026): Largest wave yet. Invisible Unicode returns, 150+ GitHub repos compromised, 72+ VSCode extensions, first MCP server compromise, transitive dependency abuse and AI-generated cover commits at scale.

The pattern is clear. Each wave is broader, more sophisticated, and harder to catch than the last.

Final Thoughts

When we closed our Wave 4 report three months ago, we wrote: "The question isn't whether there will be a Wave 5 - it's whether you'll catch it before your developers install it."

Wave 5 answered that question. And it answered it by expanding into MCP - an ecosystem where the trust model is even more permissive than VSCode extensions. Your MCP server runs on your machine, reads your environment variables, and has access to your filesystem.

GlassWorm isn't slowing down. They're accelerating. And now they're fishing where the fish are: AI-assisted development tools.

Developers: be cautious when installing extensions, npm packages, and especially MCP servers. Verify publishers. Check package histories. Don't trust download counts. And rotate your credentials if you've installed anything suspicious.

Stay safe out there.