CrowdStrike Dismantles Glassworm Botnet Targeting Open-Source Developer Supply Chain
- May 27
- 3 min read
Key Findings
CrowdStrike, Google, and Shadowserver dismantled the Glassworm botnet by simultaneously taking down four command-and-control servers that powered a sophisticated supply chain attack campaign
The Russia-based threat group infected over 300 GitHub repositories and compromised hundreds of open-source packages across npm, Python, and VSCode extensions since early 2025
Glassworm deployed a multi-layered resilience strategy using the Solana blockchain, BitTorrent DHT, Google Calendar, and commercial VPS providers to maintain operational continuity
The takedown exposed advanced tradecraft focused on automating malware propagation through trusted developer workflows rather than simple repository compromises
Security partners are sharing indicators of compromise to help organizations hunt for infections while calling for broader ecosystem coordination against supply chain threats
Background
Glassworm emerged in early 2025 as a persistent threat targeting software developers with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries. The operation represented a calculated shift in adversary tactics, focusing on developer environments as force multipliers. By compromising a single developer machine, attackers could potentially impact thousands of downstream organizations consuming the poisoned software. The threat group, assessed to be Russia-based due to malware kill-switches for CIS countries and Russian-language code comments, demonstrated sophisticated operational planning from the outset.
Multi-Channel Infrastructure Design
What distinguished Glassworm was its resilient command-and-control architecture spanning four distinct channels. The operators used the Solana blockchain to store C2 addresses in transaction memo fields, leveraged BitTorrent's distributed hash table for configuration retrieval, employed Google Calendar event titles as dead drop resolvers, and maintained backup infrastructure on commercial VPS providers. This redundancy was intentional, creating multiple layers of indirection to survive disruption attempts. The simultaneous takedown required coordinated action across all four channels to prevent the attackers from simply pivoting to an alternative pathway.
Attack Scope and Methods
The campaign delivered malware through trojanized VSCode extensions on the official Microsoft marketplace and Open VSX, reaching users of VS Code forks including Cursor, Positron, Windsurf, and VSCodium. Malicious npm and Python packages extended the infection vector further. Initial payloads included credential harvesters targeting GitHub tokens, npm credentials, and cryptocurrency wallets. Later iterations deployed GlasswormRAT, a JavaScript-based remote access tool capable of browser data theft and arbitrary code execution. A deployed Chrome extension then scraped screenshots, keystrokes, and clipboard contents from victim systems.
Weaponized Infrastructure
Infected machines became nodes in Glassworm's attack infrastructure, functioning as SOCKS proxies, hidden VNC servers, and remote execution nodes via WebRTC or spawned Node.js processes. This converted victim networks into anonymized access points for the attackers, enabling further lateral movement and repository compromise. The operators used stolen developer credentials to poison over 300 GitHub repositories, automating the process to rapidly expand reach through the supply chain. The operational sophistication lay not in individual techniques but in the automation and integration that could scale the compromise quickly if left uninterrupted.
Disruption Strategy and Rationale
CrowdStrike emphasized that the coordinated takedown served broader strategic goals beyond temporary infrastructure denial. By exposing tradecraft and forcing the adversary to rebuild from scratch, the operation raises operating costs and operational burden. The security industry's proactive disruption approach proved effective precisely because traditional law enforcement options remain limited against actors operating from non-cooperative jurisdictions. The company called this "sustained pressure" designed to impede momentum rather than permanently eliminate the threat group.
Ecosystem Response and Future Challenges
Industry partners are sharing detailed indicators of compromise to enable defensive hunting across organizations. The takedown demonstrates that effective supply chain protection requires visibility and alignment across vendors, platform operators, law enforcement agencies, and the open-source ecosystem. However, security leaders acknowledged that developers remain vulnerable given the low barrier to poisoning packages against the enormous potential blast radius. As long as developer environments and build pipelines remain under-protected, organizations consuming software inherit risk from everyone producing it.
Sources
https://cyberscoop.com/crowdstrike-glassworm-botnet-takedown/
https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html
https://ground.news/article/crowdstrike-disrupts-glassworm-botnet-targeting-developers

Comments