CrowdStrike announced the coordinated takedown of the Glassworm botnet, a large-scale operation that targeted software developers through compromised open-source packages, malicious VSCode extensions, and poisoned GitHub repositories.
The operation, conducted alongside Google and the Shadowserver Foundation, disrupted the botnet’s infrastructure and severed communication between the operators and infected systems.
“In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm’s command-and-control (C2) channels simultaneously,” said CrowdStrike in its post about the operation.
Key Takeaways from the Glassworm Botnet Takedown
- CrowdStrike, Google, and the Shadowserver Foundation disrupted the Glassworm supply chain botnet
- The campaign targeted developers through malicious VSCode extensions, npm/Python packages, and poisoned GitHub repositories
- Glassworm used decentralized C2 infrastructure including Solana, BitTorrent DHT, Google Calendar, and VPS servers
- More than 300 GitHub repositories were reportedly compromised using stolen developer credentials
- The malware targeted Windows, macOS, and Linux systems with credential theft and remote access capabilities
Inside the Glassworm Campaign
The Glassworm campaign highlights the growing focus attackers are placing on software developers and the broader software supply chain.
Because developers often have privileged access to repositories, cloud platforms, and deployment pipelines, compromising a single developer account can give attackers a pathway to distribute malicious code across trusted software ecosystems.
How Glassworm Targeted Developers
According to CrowdStrike, the Glassworm operators used multiple delivery mechanisms to maximize reach across developer environments and open-source ecosystems.
The campaign distributed trojanized VSCode extensions through the OpenVSX marketplace disguised as legitimate developer tools, including code formatters and productivity-related utilities.
The malicious extensions reportedly targeted several development environments beyond VSCode itself, including Cursor, VSCodium, Windsurf, and Positron.
The operators also compromised npm and Python packages by embedding malicious post-installation scripts designed to execute automatically during dependency installation.
More than 300 GitHub repositories were reportedly poisoned using stolen developer credentials to push malicious code into trusted repositories and default branches.
The malware affected Windows, macOS, and Linux systems and included a Node.js-based remote access tool known as GlasswormRAT.
CrowdStrike said the malware enabled credential theft, persistence, information harvesting, and remote access on compromised developer systems.
Inside Glassworm’s C2 Infrastructure
Glassworm’s infrastructure was also designed to withstand traditional disruption attempts by relying on multiple decentralized command-and-control (C2) channels simultaneously.
According to CrowdStrike, one communication mechanism stored server information inside Solana blockchain transaction memo fields, effectively creating a public dead-drop system resistant to conventional takedown methods.
Another leveraged the BitTorrent Distributed Hash Table (DHT) network to retrieve configuration data through peer-to-peer infrastructure with no centralized point of failure.
The malware also used Google Calendar event titles to store Base64-encoded C2 paths while maintaining traditional VPS-hosted servers for final-stage payload delivery and operational control.
This layered architecture created redundancy across blockchain services, peer-to-peer (P2P) networks, cloud platforms, and conventional hosting providers, allowing operators to maintain resiliency even if one communication channel was disrupted.
How CrowdStrike Disrupted the Botnet
CrowdStrike noted that all four command-and-control channels had to be disrupted simultaneously to effectively disable the botnet and sever communications with infected systems.
The company said the operators evolved their tooling from JavaScript to Rust and Zig while expanding across additional developer platforms.
How to Reduce Supply Chain Risk
As software supply chain attacks continue targeting developer environments and open-source ecosystems, organizations are being pushed to strengthen security controls across build pipelines, repositories, and dependency management workflows.
- Monitor developer environments, CI/CD pipelines, and repositories for anomalous package activity, unauthorized changes, and suspicious authentication behavior.
- Validate extensions and dependencies before installation, restrict unnecessary third-party packages, and use private artifact repositories where possible.
- Enforce MFA, least privilege access, branch protections, signed commits, and privileged access controls across developer and administrative accounts.
- Implement code-signing verification, software composition analysis (SCA), SBOM visibility, and file integrity monitoring to identify malicious or vulnerable components.
- Segment developer and build environments from production systems while restricting unnecessary outbound connections to public package ecosystems.
- Strengthen endpoint visibility and behavioral detection capabilities across developer workstations to identify credential theft, persistence, and suspicious build activity.
- Regularly test incident response, containment, and recovery plans involving software supply chain compromises, malicious packages, and repository breaches.
Collectively, these measures can help organizations reduce software supply chain exposure and build operational resilience.
Growing Supply Chain Threat
The Glassworm operation reflects a broader shift toward attackers targeting trusted software ecosystems and developer infrastructure.
Open-source repositories, package registries, and CI/CD environments remain attractive targets because a single compromised package or developer account can affect thousands of downstream users and systems.
Detection alone is becoming less effective against supply chain attacks because malicious packages and dependencies can spread rapidly through automated development workflows before being identified.
CrowdStrike emphasized that proactive disruption efforts and cross-industry collaboration are becoming important for reducing supply chain risk and disrupting resilient threat infrastructure.
As organizations look to reduce the risks associated with trusted software ecosystems, some are turning to zero trust solutions to help strengthen access controls, segmentation, and overall developer environment security.