Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
GitHub Security Lab

GitHub Security Lab Vendor Cyber Rating & Cyber Score

github.com


GSL A.I CyberSecurity Scoring

GSL
Company Information
Website:https://securitylab.github.com
Employees number:None
Number of followers:6,371
NAICS:5112
Industry Type:Software Development
Homepage:github.com
GSL Risk Score (AI oriented)
Between 700 and 749
logo
GSLSoftware Development
Updated:
04/06/2026
717/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
GSL Global Score (TPRM)
xxxx
logo
GSLSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

GSL
GSLModerate
Current Score
717Ba (MODERATE)
01000
2 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
719Before Incident
JUNE 2026
738Before Incident
Cyber Attack
04 Jun 2026GSL
Exodus, npm and GitHub: IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets

IronWorm Malware Campaign Targets Developers via Poisoned npm Packages

718After Incident
CRITICAL-20
GITEXONPM1780604646
IronWorm Malware Campaign Targets Developers via Poisoned npm Packages A sophisticated malware campaign, dubbed IronWorm, has been discovered targeting software developers particularly those in crypto and web3 through malicious npm packages. The attack leverages compromised developer workflows to steal credentials, API keys, and cryptocurrency wallet recovery phrases, while spreading autonomously via trusted supply-chain channels. ### How the Attack Works IronWorm infiltrates systems by hiding a Rust-based infostealer inside seemingly legitimate npm packages. When a developer runs `npm install`, the malware executes automatically, requiring no user interaction. The threat actor republished multiple npm packages from a hijacked account, embedding a hidden Linux binary in each. Once active, IronWorm employs a kernel-level rootkit to evade detection, masking its processes and network activity from standard monitoring tools like `ps` and `top`. It communicates with its operator via the Tor network and uses obfuscation techniques, including a modified UPX packer and per-string decryption, to hinder reverse engineering. ### Credential Theft & Self-Replication The malware aggressively harvests sensitive data, scanning for 86 environment variables (covering cloud platforms, CI/CD systems, and AI service keys) and 20+ credential file paths, including wallet configurations. A dedicated module targets the Exodus desktop wallet, capturing passwords and recovery phrases upon unlock. Another module extracts Kubernetes service account tokens from pods. IronWorm’s most dangerous feature is its self-replicating mechanism. After stealing credentials, it uses them to push backdated malicious commits into victims’ GitHub repositories, disguising them as routine maintenance (e.g., "fix: resolve lint warnings"). These infected packages are then published to npm, creating a supply-chain loop that spreads the malware further. Researchers identified 57 backdated commits across nine GitHub organizations, some timestamped years in the past to avoid scrutiny. ### Scope & Indicators of Compromise The campaign has impacted dozens of npm packages, including: - `[email protected]` - `[email protected]` - `[email protected]` - `[email protected]` Malicious commits were attributed to a fake GitHub email (`[email protected]`), and the operator’s Ethereum wallet address (`0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6`) was hardcoded in the malware. The C2 endpoint (`/api/agent`) operates over Tor, and the malicious binary resides in a hidden path (`tools/setup`). ### Mitigation & Response Security firm JFrog recommends auditing repositories for backdated commits, unexpected build hooks, and unauthorized automation activity. All compromised API keys and secrets should be rotated immediately, and affected npm packages should be unpublished with security advisories issued. The attack underscores the growing threat of supply-chain compromises, where trusted developer tools become vectors for large-scale credential theft and malware propagation.
INCIDENT DETAILS -
TYPE
Supply-Chain Attack, Malware Campaign
MOTIVATION
Credential theft, Cryptocurrency wallet compromise, Data exfiltration, Supply-chain propagation
IMPACT
Data Compromised: Credentials, API keys, Cryptocurrency wallet recovery phrases, Kubernetes service account tokens, Environment variablesSystems Affected: Developer workstations, CI/CD pipelines, GitHub repositories, npm packagesOperational Impact: Unauthorized access to cloud platforms, AI services, and cryptocurrency wallets; Supply-chain compromiseBrand Reputation Impact: Potential reputational damage to affected organizations due to supply-chain compromiseIdentity Theft Risk: High (recovery phrases and credentials stolen)
DATA BREACH
Type Of Data Compromised: Credentials, API keys, Cryptocurrency wallet recovery phrases, Kubernetes tokens, Environment variablesSensitivity Of Data: High (Personally Identifiable Information, Financial Data, Authentication Tokens)Data Exfiltration: Yes (via Tor network)Data Encryption: No (data stolen in plaintext)Personally Identifiable Information: Recovery phrases, Wallet passwords, API keys
MAY 2026
737Before Incident
APRIL 2026
737Before Incident
MARCH 2026
754Before Incident
Cyber Attack
17 Mar 2026GSL
GitHub, Streamlit and Python Package Index: Ongoing Python Package Attack Uses Stolen GitHub Tokens

GlassWorm Malware Campaign Exploits Stolen GitHub Tokens to Infect Python Repositories

736After Incident
CRITICAL-18
STRGITTHE1773750273
GlassWorm Malware Campaign Exploits Stolen GitHub Tokens to Infect Python Repositories Security researchers at StepSecurity have uncovered an active malware campaign, dubbed GlassWorm, which is leveraging stolen GitHub tokens to inject malicious code into a wide range of Python repositories. The attack targets core project files including setup.py, main.py, and app.py across multiple Python ecosystems, such as Django applications, machine learning research code, Streamlit dashboards, and packages on the Python Package Index (PyPI). The campaign employs obfuscation techniques to evade detection, making it difficult for developers and security teams to identify compromised code. Once executed, the injected payload can enable remote access, facilitate data exfiltration, or further propagate the infection within connected networks and systems. Given Python’s widespread use in web development, data analytics, and scientific research, the attack poses significant risks to the integrity and security of applications built on these repositories. The primary entry point stolen GitHub tokens highlights the growing threat of supply chain attacks, where attackers exploit weak authentication controls to compromise trusted codebases. StepSecurity has confirmed the campaign’s ongoing activity, emphasizing the need for heightened vigilance in token management and code review processes to mitigate further exposure.
INCIDENT DETAILS -
TYPE
Malware Campaign
IMPACT
Data Compromised: Malicious code injection enabling remote access and data exfiltrationSystems Affected: Python repositories (Django applications, machine learning research code, Streamlit dashboards, PyPI packages)Operational Impact: Potential compromise of application integrity and security
DATA BREACH
Type Of Data Compromised: Source code, potential sensitive data via remote accessData Exfiltration: Possiblesetup.pymain.pyapp.py
FEBRUARY 2026
754Before Incident
JANUARY 2026
754Before Incident
DECEMBER 2025
754Before Incident
NOVEMBER 2025
754Before Incident
OCTOBER 2025
754Before Incident
SEPTEMBER 2025
754Before Incident
AUGUST 2025
754Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for GSL ?
?
What was GSL's A.I Rankiteo Cyber Score in June 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in May 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in April 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in March 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in February 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in January 2026 ?
?
What was GSL's A.I Rankiteo Cyber Score in December 2025 ?
?
What was GSL's A.I Rankiteo Cyber Score in November 2025 ?
?
What was GSL's A.I Rankiteo Cyber Score in October 2025 ?
?
What was GSL's A.I Rankiteo Cyber Score in September 2025 ?
?
What was GSL's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on GSL's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with GSL ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view GSL's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?