Blockchain as Botnet: How GlassWorm Turns Solana Transaction Memos Into an Unstoppable C2 Channel

The security community has long worried about blockchain being used for attacks. But a campaign discovered this month — dubbed GlassWorm/ForceMemo — takes a genuinely novel approach: using Solana's transaction memo field as a decentralized, immutable, takedown-resistant command-and-control (C2) infrastructure for a multi-platform supply chain attack. This isn't just another malware story. It's a case study in how blockchain's core properties — censorship resistance, immutability, and public accessibility — can be weaponized against the very developer ecosystem that builds on it. The Kill Chain: From VS Code Extension to Your setup.py The GlassWorm campaign operates in three distinct phases, each exploiting a different trust boundary: Phase 1: Credential Harvest via IDE Extensions GlassWorm initially propagates through malicious VS Code and Cursor extensions published to the OpenVSX marketplace. Once installed, the extension's third-stage payload deploys a credential theft module that h