Glassworm Botnet Disrupted: Major Takedown Targets Developer Tools
Severity: High (Score: 74.0)
Sources: Ground.News, Computerweekly, Cyberscoop, Bleepingcomputer, cybernoz.com
Published: · Updated:
Keywords: glassworm, developers, malware, pypi, openvsx, github, dangerous
Severity indicators: ot, malware, worm, botnet
Summary
CrowdStrike, in collaboration with Google and Shadowserver, has successfully disrupted the Glassworm botnet, which has been targeting software developers since October 2025. The operation involved the simultaneous takedown of four command-and-control (C2) channels that utilized Solana blockchain transactions and the BitTorrent network. Glassworm's sophisticated malware campaigns have infected over 400 software artifacts, including malicious Visual Studio Code and OpenVSX extensions. The botnet's infrastructure was designed for resilience, complicating previous disruption efforts. Following the takedown, compromised machines can no longer receive instructions, and organizations are advised to monitor specific IP addresses for remediation. The operation highlights the importance of proactive measures against supply-chain threats. Key Points: • CrowdStrike and partners disrupted the Glassworm botnet targeting developers. • The botnet used resilient C2 channels, complicating previous takedown efforts. • Over 400 software artifacts were compromised, affecting multiple platforms.
Detailed Analysis
**Impact** The Glassworm botnet targeted software developers globally, compromising over 300 GitHub repositories and more than 400 software artifacts across npm, PyPI, OpenVSX, and Visual Studio Code extensions since October 2025. Affected systems include Windows, macOS, and Linux, with data theft focused on credentials and cryptocurrency wallets. The campaign disrupted developer workflows and posed significant risks to software supply chains, potentially impacting numerous downstream organizations relying on these open-source tools. **Technical Details** Glassworm employed supply chain attacks via malicious open-source packages and VSCode/OpenVSX extensions, leveraging a remote-access tool named GlasswormRAT for data and credential theft. Its resilient command-and-control infrastructure used four layered channels simultaneously: Solana blockchain transactions, BitTorrent’s DHT network, Google Calendar, and commercial VPS providers. The botnet’s architecture enabled evasion of takedown attempts by using non-traditional communication channels and multi-layered indirection. Post-disruption, infected hosts beacon to IP 164.92.88[.]210. YARA rules and network indicators have been published for detection. **Recommended Response** Organizations should immediately search for network traffic to IP 164.92.88[.]210 and deploy the published YARA detection rules to identify infected hosts. Remediation should include removing malicious packages and extensions from developer environments and hardening CI/CD pipelines and software supply chains. Monitoring for unusual activity involving Solana blockchain and BitTorrent DHT communications is advised. Collaboration with platform providers and threat intelligence sharing is recommended to prevent reconstitution of the botnet infrastructure.
Source articles (7)
- Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub — Cybersecuritynews · 2026-05-27
A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th… - CrowdStrike disrupts Glassworm botnet targeting developers — Ground.News · 2026-05-27
A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th… - Glassworm botnet that targeted OS devs smashed to pieces — Computerweekly · 2026-05-27
The Glassworm botnet that weaponised trusted developer tools and turned them on the open source community to poison hundreds of GitHub repositories with malicious code has been knocked out in a coordi… - Glassworm botnet disrupted after resilient C2 infrastructure takedown — Bleepingcomputer · 2026-05-27
The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain… - CrowdStrike disrupts Glassworm botnet that preyed on open — Cyberscoop · 2026-05-27
CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces… - CrowdStrike, Google slay ‘unkillable’ Glassworm botnet targeting devs — cybernoz.com · 2026-05-27
- CrowdStrike disrupts Glassworm botnet targeting developers — itbrief.in · 2026-05-27
Timeline
- 2025-10-01 — Glassworm campaign first surfaced: Malicious extensions targeting developers began spreading through popular platforms.
- 2026-05-26 — Coordinated takedown of Glassworm C2 channels: CrowdStrike, Google, and Shadowserver simultaneously disrupted four C2 channels, severing operator access.
- 2026-05-27 — Organizations advised to monitor for Glassworm indicators: Following the disruption, organizations are urged to check for specific IP addresses related to the botnet.
Related entities
- Botnet (Attack Type)
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- artifacts.in (Domain)
- 164.92.88.210 (Ipv4)
- Glassworm (Malware)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- GitHub (Platform)
- PyPI (Platform)
- Solana (Platform)
- Visual Studio Code (Platform)
- Npm (Tool)
- OpenVSX (Company)