CrowdStrike Disrupts Glassworm Botnet Targeting Developers
Severity: High (Score: 67.5)
Sources: cybernoz.com, Ground.News, itbrief.in, Cybersecuritynews
Published: · Updated:
Keywords: glassworm, developers, malware, pypi, openvsx, github, dangerous
Severity indicators: ot, malware, worm, botnet
Summary
The Glassworm malware campaign, which has been targeting software developers since October 2025, has been disrupted by CrowdStrike in collaboration with Google and the Shadowserver Foundation. This campaign exploited trusted platforms like npm, PyPI, OpenVSX, and GitHub to facilitate data theft and credential harvesting. The malware utilized compromised open-source packages and malicious Visual Studio Code extensions to infiltrate development workflows. CrowdStrike reported that it successfully severed the command and control (C2) channels used by the botnet, which were previously thought to be resilient due to their use of the Solana blockchain. The takedown has significantly reduced the supply-chain risks for developers using these tools. As a result, the Glassworm botnet has lost all four of its command channels, impacting its operational capabilities. The coordinated effort marks a significant victory against a persistent threat to the software development community. Key Points: • CrowdStrike, Google, and Shadowserver disrupted the Glassworm botnet targeting developers. • The malware exploited npm, PyPI, OpenVSX, and GitHub to compromise development tools. • All four command channels of the Glassworm botnet were taken down, reducing supply-chain risks.
Detailed Analysis
**Impact** Software developers worldwide were targeted through compromised open-source packages and development tools, including npm, PyPI, OpenVSX, and GitHub. The campaign enabled data theft, credential harvesting, and persistent access on infected systems, affecting development workflows and supply chain integrity. The disruption of the botnet’s command and control channels has halted ongoing malicious activity, but the full extent of data compromised remains unspecified. **Technical Details** The Glassworm malware propagated via malicious Visual Studio Code and OpenVSX extensions, poisoned GitHub repositories, and compromised packages on npm and PyPI. Operators used the Solana public blockchain for immutable, distributed command and control dead-drops, complicating takedown efforts. CrowdStrike, Google, and the Shadowserver Foundation coordinated a simultaneous strike severing all four C2 channels, effectively isolating infected machines. No specific CVEs or IOCs were detailed in the available reports. **Recommended Response** Defenders should audit and verify the integrity of open-source packages and development tool extensions before deployment. Monitoring for unusual network traffic patterns, especially connections to blockchain-based C2 infrastructure, is advised. Organizations should collaborate with threat intelligence providers for updated IOCs and ensure endpoint detection systems are tuned to identify malicious extensions and repository poisoning. No patch or CVE-specific mitigation was provided.
Source articles (4)
- Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub — Cybersecuritynews · 2026-05-27
A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th… - CrowdStrike disrupts Glassworm botnet targeting developers — Ground.News · 2026-05-27
A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th… - CrowdStrike, Google slay ‘unkillable’ Glassworm botnet targeting devs — cybernoz.com · 2026-05-27
- CrowdStrike disrupts Glassworm botnet targeting developers — itbrief.in · 2026-05-27
Timeline
- 2025-10-01 — Glassworm malware campaign first surfaced: The campaign began targeting developers through compromised tools and packages, leading to data theft and credential harvesting.
- 2026-05-27 — CrowdStrike disrupts Glassworm botnet: CrowdStrike, in collaboration with Google and Shadowserver, took down the botnet's C2 channels, significantly impacting its operations.
Related entities
- Botnet (Attack Type)
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- Glassworm (Malware)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- GitHub (Platform)
- PyPI (Platform)
- Solana (Platform)
- Visual Studio Code (Platform)
- Npm (Tool)
- OpenVSX (Company)