Likelihood: MODERATE
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Exploitation status is unconfirmed at the organizational level, but GlasswormRAT persistence on already-infected developer machines means the attack surface is active for any organization that has not yet completed triage — reducing likelihood to moderate only because takedown severed C2 and new infections are disrupted; impact is very high because a compromised developer workstation grants access to source code, pipeline credentials, and signing keys, enabling downstream product poisoning that extends harm to customers and partners.
Treatment rationale: Active persistence risk on developer endpoints and the potential for downstream supply-chain propagation cannot be transferred or accepted given the multiplied blast radius through customer-facing pipelines; immediate containment, forensic triage, and credential rotation are the only treatments that reduce residual exposure to an acceptable level.
Third-Party / Supply-Chain Risk
The Glassworm campaign operated through shared public registries (OpenVSX, npm, PyPI) and GitHub — infrastructure trusted implicitly by developer toolchains across the industry. Any organization consuming packages or extensions from these registries during the campaign window (early 2025 through May 26, 2026) carries transitive supply-chain exposure per NIST SP 800-161 Tier 3 (supplier) and Tier 4 (sub-tier) risk. Downstream customers and partners who consume software built by an infected development environment inherit an undetected injection risk until the affected organization completes artifact integrity verification and re-signs clean releases.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per affected organization, scaling to $10M+ if downstream product poisoning is confirmed
Frequency: For an organization with active developer exposure during the campaign window and no completed triage: illustrative single realized-loss event with high conditional severity; for organizations with no confirmed infection but registry exposure: illustrative low-frequency scenario, once per multi-year period under current threat conditions
Annualized: Illustrative ALE: for exposed-but-unconfirmed organizations, $100K–$500K annualized when accounting for investigation, credential rotation, pipeline rebuild, and customer notification costs; for organizations with confirmed GlasswormRAT persistence, loss magnitude dominates and annualized framing is less meaningful than per-incident scoping
Basis: Loss magnitude driven by: forensic investigation and incident-response labor for full developer fleet triage; credential rotation across VCS, CI/CD, cloud, and code-signing infrastructure; artifact re-verification and re-release costs; potential customer notification if pipeline integrity cannot be certified; reputational and contractual exposure if downstream poisoning is discovered post-release. Frequency reflects that C2 disruption limits new infection vectors but does not eliminate realized loss from existing compromises. No external dollar benchmarks cited; derivation is structural from cost categories specific to this threat type.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed developer compromise resulting in source code or credential exfiltration may invoke cyber-insurance incident-notification obligations — verify with broker.
• If customer-facing software artifacts were built or signed from a potentially compromised pipeline, downstream customers may have contractual rights related to software integrity representations — verify with counsel.
• Organizations in regulated sectors (financial services, healthcare, critical infrastructure) should assess whether a compromised build pipeline constitutes a reportable incident under applicable sector-specific frameworks — verify with counsel.
• Evidence of code-signing key exposure may trigger third-party notification obligations under software supply agreements — verify with counsel.
