Software Supply Chain Attacks Surge: GlassWorm and LiteLLM Compromises Sound the Alarm

Two major supply chain attacks in March 2026 — the GlassWorm campaign infecting 72 Open VSX extensions and the TeamPCP compromise of the LiteLLM Python library — have exposed critical blind spots in how organizations secure their software development pipelines. For Saudi financial institutions operating under SAMA and NCA oversight, these incidents are not distant headlines; they are a direct threat to the integrity of every application your teams build and deploy.

GlassWorm: 9 Million Installs and Counting

On March 13, 2026, the Socket Research Team disclosed that the GlassWorm campaign had escalated dramatically, with at least 72 malicious extensions published to the Open VSX registry — the open marketplace powering editors like VSCodium and Eclipse Theia. The attack is deceptively elegant: operators first publish benign, useful extensions (linters, formatters, AI coding assistants). Once developers install and trust them, a subsequent update silently injects a dependency link to a hidden GlassWorm loader via modified manifest files. The editor then auto-installs the malicious payload without any user interaction.

The payload itself is sophisticated. A heavily obfuscated JavaScript loader performs locale and timezone checks to avoid execution in Russian-language environments, then leverages the Solana blockchain as a dead-drop resolver — parsing on-chain transaction memos to dynamically retrieve its command-and-control (C2) address. The objectives: credential theft, secrets exfiltration, cryptocurrency wallet draining, and conscripting infected endpoints as network proxies. As of mid-March, the campaign had surpassed 9 million installs and compromised at least 151 GitHub repositories.

LiteLLM: Three Hours That Shook the AI Stack

Just ten days later, on March 24, the threat actor group TeamPCP executed a precision strike against LiteLLM, a Python library with three million daily downloads used to abstract calls to large language model APIs. TeamPCP compromised PyPI credentials by poisoning a Trivy GitHub Action in LiteLLM's CI/CD pipeline, then published two backdoored versions: v1.82.7 and v1.82.8.

Version 1.82.7 embedded a base64-encoded payload directly inside proxy_server.py, activating whenever anything imported litellm.proxy. Version 1.82.8 went further, dropping a litellm_init.pth file into site-packages — a mechanism that fires on every Python interpreter startup, no import required. The credential stealer targeted environment variables (API keys, tokens), SSH keys, cloud credentials across AWS, GCP, and Azure, Kubernetes configs, CI/CD secrets, Docker configs, and database credentials. Stolen data was AES-256 encrypted with an RSA-wrapped key and exfiltrated to attacker-controlled domains masquerading as legitimate services.

PyPI quarantined the package within approximately three hours, but given the library's download volume, the exposure window was significant.

Why This Matters for Saudi Financial Institutions

Saudi banks, insurance companies, and fintech firms are rapidly adopting modern development practices — microservices, containerized deployments, AI-assisted coding, and open-source libraries. This is exactly the attack surface GlassWorm and TeamPCP exploit. A single compromised developer workstation inside a SAMA-regulated entity could leak API keys to core banking systems, expose PCI-DSS cardholder data environments, compromise credentials to cloud infrastructure hosting customer data protected under PDPL, and provide lateral movement paths into production environments.

The SAMA Cyber Security Framework (CSF) explicitly requires software development security controls, including secure coding practices, code review, and third-party component management. Similarly, the NCA Essential Cybersecurity Controls (ECC-2: 2024) mandate supply chain risk management and the vetting of third-party software. Organizations that treat these as checkbox exercises rather than operational disciplines are precisely the ones most vulnerable to these attacks.

The Deeper Problem: Transitive Trust

Both attacks exploit a fundamental weakness in modern software ecosystems — transitive trust. Developers trust their IDE extensions. They trust popular open-source libraries. They trust that PyPI and extension registries perform adequate vetting. Each layer of trust creates an opportunity for attackers to inject malicious code that inherits the permissions and access of the legitimate software it mimics. GlassWorm specifically weaponized the extensionDependencies mechanism, causing editors to silently install malicious packages as if they were legitimate dependencies of trusted extensions.

For financial institutions where a production deployment might pull hundreds of transitive dependencies, a single poisoned package can cascade through the entire software delivery pipeline — from developer laptop to staging to production.

Practical Recommendations for CISOs and Security Teams

1. Implement Software Bill of Materials (SBOM): Generate and monitor SBOMs for every application. Tools like Syft, Trivy (when sourced from verified pipelines), and OWASP Dependency-Track provide continuous visibility into your dependency tree. SAMA CSF Domain 10 requires organizations to maintain inventories of software assets — extend this to dependencies.
2. Lock and Pin Dependencies: Use lock files (poetry.lock, package-lock.json) and pin exact versions. Never allow automatic updates to propagate into production without review. Configure private registries or artifact proxies (Artifactory, Nexus) to cache and scan packages before developer consumption.
3. Restrict IDE Extensions: Establish an approved whitelist of IDE extensions for development teams. Disable automatic extension updates. Monitor for new extensionDependencies additions in extension manifests — this is exactly the vector GlassWorm exploited.
4. Harden CI/CD Pipelines: The LiteLLM compromise originated from a poisoned GitHub Action. Audit every third-party action in your workflows. Pin actions to specific commit SHAs rather than tags. Use permissions blocks to enforce least-privilege for workflow tokens.
5. Deploy Runtime Secret Detection: Implement tools like GitLeaks, TruffleHog, or cloud-native secret scanning to detect exposed credentials before they reach repositories. Configure alerts for unusual outbound connections from developer workstations and CI runners.
6. Conduct Supply Chain Threat Modeling: Map your software supply chain end-to-end — from developer IDE to production deployment. Identify every point where third-party code enters the pipeline and assess the trust assumptions at each boundary. NCA ECC control 2-6-1 specifically addresses third-party cybersecurity requirements.
7. Rotate Credentials Immediately: If your teams used LiteLLM versions 1.82.7 or 1.82.8, or installed any of the flagged Open VSX extensions, treat it as a confirmed breach. Rotate all API keys, cloud credentials, SSH keys, and database passwords exposed on affected systems.

Conclusion

Supply chain attacks are no longer an emerging threat — they are the dominant attack vector against organizations that build and deploy software. The GlassWorm campaign's 9 million installs and TeamPCP's precision compromise of a library with 3 million daily downloads demonstrate that attackers are scaling these techniques industrially. For Saudi financial institutions, compliance with SAMA CSF and NCA ECC is the floor, not the ceiling. The real question is whether your organization has operational visibility into every line of code, every dependency, and every tool your developers trust.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a dedicated review of your software supply chain security posture.