Skip to main content
Login
institutional access

You are connecting from
Lake Geneva Public Library,
please login or register to take advantage of your institution's Ground News Plan.

Published loading...Updated

CrowdStrike Disrupts Glassworm Botnet that Preyed on Open-Source Supply Chain

CrowdStrike said infected machines can no longer receive new instructions after the coordinated takedown cut off four resilient command channels.

  • In a coordinated operation yesterday, CrowdStrike, Google, and The Shadowserver Foundation disrupted Glassworm, a botnet targeting developers, by simultaneously disabling all four command-and-control channels including Solana blockchain, BitTorrent DHT, Google Calendar dead drops, and direct VPS connections.
  • Glassworm campaigns began in October 2025, initially stealing cryptocurrency wallets and developer credentials through malicious OpenVSX and Microsoft VS Code extensions, later expanding to GitHub repositories and npm packages with one March campaign compromising more than 400 software artifacts.
  • The botnet's resilience stemmed from its distributed architecture: C2 addresses encoded in Solana blockchain memo fields, configuration data stored in BitTorrent DHT, Base64-encoded paths hidden in Google Calendar event titles, and commercial VPS servers, requiring simultaneous disruption of all four channels.
  • Following the disruption, all infected machines now beacon to CrowdStrike-operated IP address 164.92.88210, allowing organizations to identify compromised systems; researchers also released YARA rules for detecting infections on suspected hosts.
  • The coordinated takedown demonstrates how modern botnets leverage decentralized infrastructure for resilience, and the multi-organization effort sets a precedent for disrupting similar threats targeting the software supply chain.
Insights by Ground AI

15 Articles

CyberScoopCyberScoop
Center

CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain

CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces of open-source software with malware since early 2025, the company said Tuesday.  The coordinated effort involved the simultaneous takedown of four attacker-controlled servers that were designed to obscure the botnet’s operations and remain resilien…

Read Full Article
Cybersecurity DiveCybersecurity Dive
Center

Coordinated operation takes down Glassworm botnet

The botnet began in early 2025, targeting software developers across the open-source supply chain.

Read Full Article
BleepingComputerBleepingComputer
Center

Glassworm botnet disrupted after resilient C2 infrastructure takedown

The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network.

·New York, United States
Read Full Article
The Hacker NewsThe Hacker News
Reposted by
IT Security News - cybersecurity, infosecurity newsIT Security News - cybersecurity, infosecurity news

GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions. "Since at least early 2025, GlassWorm operators have systematically targeted software developers, a

Read Full Article
Cyber Security NewsCyber Security News

Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub

A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, the attackers have turned routine development workflows into entry points for data theft, credential harvesting, and persistent system access. The campaign first surfaced in October 2025, when malicious Visual Studio Code and OpenVSX extensions appear…

Read Full Article
cybernoz.comcybernoz.com

CrowdStrike, Google slay ‘unkillable’ Glassworm botnet targeting devs

Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports suggested the self-replicating malware’s infrastructure was unkillable due to the use of the immutable and distributed Solana public blockchain for C2 dead-drops. CrowdStrike wrote in its analysis that the Glassworm operators went further in their eff…

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 100% of the sources are Center
100% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

eSecurityPlanet broke the news on Tuesday, May 26, 2026.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

Google icon

Google

Cyberattacks icon

Cyberattacks

Infrastructure icon

Infrastructure

CrowdStrike icon

CrowdStrike

Cybersecurity icon

Cybersecurity

News
Feed Dots Icon
For You
Search Icon
SearchBlindspot LogoBlindspotLocal