Blockchain as Botnet: How Glassworm Turned Solana Memos Into an Unkillable C2 Channel — And How to Defend Your Pipeline

TL;DR The Glassworm/ForceMemo campaign — active since October 2025 and surging again in March 2026 — weaponizes the Solana blockchain's memo program as a decentralized command-and-control (C2) channel. Malware hidden in GitHub repos, npm packages, and VS Code extensions polls a Solana address every five seconds for encrypted instructions. Because blockchain data is immutable, there's no server to seize and no domain to sinkhole. This post dissects the C2 mechanism, maps the full kill chain, and provides concrete detection and hardening steps for every developer running npm install or pip install from source. The Kill Chain in Three Phases Phase 1 — Initial Access: Invisible Unicode in Your Dependencies Glassworm's signature trick is encoding malicious JavaScript payloads inside invisible Unicode characters (Private Use Area variation selectors U+FE00 – U+FE0F and U+E0100 – U+E01EF ). The injection looks like an empty template literal: eval ( Buffer . from ( s ( `` )). toString ( ' utf-