GSL A.I CyberSecurity Scoring
GSL
Company Information
Website:https://securitylab.github.com
Employees number:None
Number of followers:6,371
NAICS:5112
Industry Type:Software Development
Homepage:github.com
GSL Risk Score (AI oriented)
Between 700 and 749
GSLSoftware Development
Updated:
04/06/2026
04/06/2026
717/1000
Moderate
Ba
GSL Global Score (TPRM)
xxxx
GSLSoftware Development
Score locked

GSLModerate
Current Score
717Ba (MODERATE)
01000
2 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
719
JUNE 2026
738
Cyber Attack
04 Jun 2026 • GSL
Exodus, npm and GitHub: IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets
IronWorm Malware Campaign Targets Developers via Poisoned npm Packages
718
CRITICAL-20
GITEXONPM1780604646
IronWorm Malware Campaign Targets Developers via Poisoned npm Packages
A sophisticated malware campaign, dubbed IronWorm, has been discovered targeting software developers particularly those in crypto and web3 through malicious npm packages. The attack leverages compromised developer workflows to steal credentials, API keys, and cryptocurrency wallet recovery phrases, while spreading autonomously via trusted supply-chain channels.
### How the Attack Works
IronWorm infiltrates systems by hiding a Rust-based infostealer inside seemingly legitimate npm packages. When a developer runs `npm install`, the malware executes automatically, requiring no user interaction. The threat actor republished multiple npm packages from a hijacked account, embedding a hidden Linux binary in each.
Once active, IronWorm employs a kernel-level rootkit to evade detection, masking its processes and network activity from standard monitoring tools like `ps` and `top`. It communicates with its operator via the Tor network and uses obfuscation techniques, including a modified UPX packer and per-string decryption, to hinder reverse engineering.
### Credential Theft & Self-Replication
The malware aggressively harvests sensitive data, scanning for 86 environment variables (covering cloud platforms, CI/CD systems, and AI service keys) and 20+ credential file paths, including wallet configurations. A dedicated module targets the Exodus desktop wallet, capturing passwords and recovery phrases upon unlock. Another module extracts Kubernetes service account tokens from pods.
IronWorm’s most dangerous feature is its self-replicating mechanism. After stealing credentials, it uses them to push backdated malicious commits into victims’ GitHub repositories, disguising them as routine maintenance (e.g., "fix: resolve lint warnings"). These infected packages are then published to npm, creating a supply-chain loop that spreads the malware further. Researchers identified 57 backdated commits across nine GitHub organizations, some timestamped years in the past to avoid scrutiny.
### Scope & Indicators of Compromise
The campaign has impacted dozens of npm packages, including:
- `[email protected]`
- `[email protected]`
- `[email protected]`
- `[email protected]`
Malicious commits were attributed to a fake GitHub email (`[email protected]`), and the operator’s Ethereum wallet address (`0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6`) was hardcoded in the malware. The C2 endpoint (`/api/agent`) operates over Tor, and the malicious binary resides in a hidden path (`tools/setup`).
### Mitigation & Response
Security firm JFrog recommends auditing repositories for backdated commits, unexpected build hooks, and unauthorized automation activity. All compromised API keys and secrets should be rotated immediately, and affected npm packages should be unpublished with security advisories issued.
The attack underscores the growing threat of supply-chain compromises, where trusted developer tools become vectors for large-scale credential theft and malware propagation.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
737
APRIL 2026
737
MARCH 2026
754
Cyber Attack
17 Mar 2026 • GSL
GitHub, Streamlit and Python Package Index: Ongoing Python Package Attack Uses Stolen GitHub Tokens
GlassWorm Malware Campaign Exploits Stolen GitHub Tokens to Infect Python Repositories
736
CRITICAL-18
STRGITTHE1773750273
GlassWorm Malware Campaign Exploits Stolen GitHub Tokens to Infect Python Repositories
Security researchers at StepSecurity have uncovered an active malware campaign, dubbed GlassWorm, which is leveraging stolen GitHub tokens to inject malicious code into a wide range of Python repositories. The attack targets core project files including setup.py, main.py, and app.py across multiple Python ecosystems, such as Django applications, machine learning research code, Streamlit dashboards, and packages on the Python Package Index (PyPI).
The campaign employs obfuscation techniques to evade detection, making it difficult for developers and security teams to identify compromised code. Once executed, the injected payload can enable remote access, facilitate data exfiltration, or further propagate the infection within connected networks and systems.
Given Python’s widespread use in web development, data analytics, and scientific research, the attack poses significant risks to the integrity and security of applications built on these repositories. The primary entry point stolen GitHub tokens highlights the growing threat of supply chain attacks, where attackers exploit weak authentication controls to compromise trusted codebases.
StepSecurity has confirmed the campaign’s ongoing activity, emphasizing the need for heightened vigilance in token management and code review processes to mitigate further exposure.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
754
JANUARY 2026
754
DECEMBER 2025
754
NOVEMBER 2025
754
OCTOBER 2025
754
SEPTEMBER 2025
754
AUGUST 2025
754
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for GSL ??
What was GSL's A.I Rankiteo Cyber Score in June 2026 ??
What was GSL's A.I Rankiteo Cyber Score in May 2026 ??
What was GSL's A.I Rankiteo Cyber Score in April 2026 ??
What was GSL's A.I Rankiteo Cyber Score in March 2026 ??
What was GSL's A.I Rankiteo Cyber Score in February 2026 ??
What was GSL's A.I Rankiteo Cyber Score in January 2026 ??
What was GSL's A.I Rankiteo Cyber Score in December 2025 ??
What was GSL's A.I Rankiteo Cyber Score in November 2025 ??
What was GSL's A.I Rankiteo Cyber Score in October 2025 ??
What was GSL's A.I Rankiteo Cyber Score in September 2025 ??
What was GSL's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on GSL's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with GSL ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view GSL's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?