The Day After: GlassWorm Returns, AtomSilo Rises, and Your npm install Might Be Compromised

433 compromised packages. A zombie ransomware group. Invisible Unicode malware. Happy March 18th.

While half the internet was recovering from St. Patrick's Day, the other half was getting owned.

Here's what dropped in the last 72 hours — and what we indexed before your coffee was ready.

GlassWorm: The Supply Chain Attack You Can't See

GlassWorm is back. And this time, it brought friends.

Between March 3rd and 12th, attackers compromised 151+ GitHub repositories, npm packages, and VS Code extensions using a technique that's genuinely unsettling: they encode malicious payloads inside invisible Unicode characters.

The ranges U+FE00–U+FE0F and U+E0100–U+E01EF render as nothing in every mainstream editor, terminal, and code review interface. The payload sits in backtick strings, gets decoded, and hits eval(). You can stare at the code and never see it.

• @aifabrix/miso-client v4.7.2

• @iflow-mcp/watercrawl-watercrawl-mcp v1.3.0–1.3.4

• quartz.quartz-markdown-editor v0.3.0 (VS Code)

Compromised repos include: pedronauck/reworm, doczjs/docz-plugin-css, wasmer-examples/hono-wasmer-starter, and more.

The C2 runs through Solana blockchain addresses. The payload targets crypto wallets, credentials, SSH keys, and developer environment data.

If you install Python packages from GitHub or run cloned repos, search your codebase for the marker variable lzcdrtfxyqiplpd. If it's there, you have a problem.

AtomSilo: Back From the Dead

Remember AtomSilo? The ransomware group that went dark in 2021?

They're back. In February 2026, they claimed a major Asian bank and issued extortion notices threatening to leak financial data. Five years dormant, then a clean return.

We had zero AtomSilo IOCs in our index until this morning. Now we have 16 — 9 SHA256 hashes, 6 C2 IPs, and the domain update.ajaxrenew.com. All sourced from SophosLabs' public repository and indexed into our STIX feed.

The Bigger Picture

Rapid7's 2026 Global Threat Landscape Report dropped today with a number that should keep CISOs up tonight: exploited high and critical-severity vulnerabilities surged 105% year over year. Attack timelines are collapsing. The window between disclosure and exploitation is shrinking to hours.

• APT28 is exploiting MS Office zero-days (CVE-2026-21509, CVE-2026-21513)

• MuddyWater backdoored a US bank, airport, and nonprofits with new tools called "Dindoor" and "Fakeset"

• Qilin ransomware claimed 30 victims last week. Akira took 18.

• The EU sanctioned 3 Chinese and Iranian companies for hacking 65,000+ devices

This is not a slow news day.

What We Did About It

As of this morning, our STIX feed contains 1,017,000+ indicators of compromise. Today we added:

• 16 AtomSilo IOCs (previously zero coverage)

• 10 GlassWorm supply chain indicators (packages, repos, extensions)

• Cross-referenced against existing MuddyWater, Qilin, and Akira coverage

All of this flows automatically to anyone consuming our feed. One line in Splunk:

| inputlookup stix_feed.csv WHERE threat_type="supply_chain" OR malware_family="AtomSilo"

Or hit the API:

curl "https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY"

The Point

The threats aren't getting more sophisticated. They're getting faster. A ransomware group can sleep for five years and come back in an afternoon. A supply chain attack can hide in characters your eyes literally cannot see.

The question isn't whether you have threat intelligence. It's whether your threat intelligence is current as of this morning.

Ours is.

DugganUSA indexes 1M+ IOCs across 42 indexes. The STIX feed is free at one request per day, or starts at $45/month for production use. [Get your API key](https://analytics.dugganusa.com/stix/pricing).

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →