Back

Glassworm Botnet Targeting Developers Disrupted by CrowdStrike and Google

Severity: High (Score: 71.0)

Sources: Ground.News, Infosecurity-Magazine, Itnews.Au, www.techtarget.com, Techcrunch

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: glassworm, developers, malware, pypi, openvsx, github, dangerous

Severity indicators: ot, malware, worm, botnet

Summary

The Glassworm botnet, which has targeted software developers since early 2025, was taken down in a coordinated operation by CrowdStrike, Google, and the Shadowserver Foundation on May 26, 2026. This botnet utilized sophisticated command-and-control (C2) infrastructure, including the Solana blockchain, Google Calendar, and BitTorrent networks, to spread malware through compromised open-source packages and malicious VS Code extensions. The operation affected numerous systems across Windows, macOS, and Linux, compromising over 300 GitHub repositories and various npm and Python packages. The malware, known for its invisible code injection techniques, has been linked to credential theft and remote access capabilities. As of the takedown, all four C2 channels were severed, preventing further malware distribution. The attack's sophistication highlights a significant shift in targeting developers rather than just software products. Key Points: • The Glassworm botnet targeted developers through compromised open-source tools since early 2025. • CrowdStrike and partners took down all four command-and-control channels on May 26, 2026. • The botnet's infrastructure included the Solana blockchain and Google Calendar for resilient operations.

Detailed Analysis

**Impact** The Glassworm botnet targeted software developers globally, compromising over 300 GitHub repositories and multiple open-source package registries including npm, PyPI, and OpenVSX. Approximately 134,000 developers were affected through hijacked npm packages with tens of thousands of downloads, notably react-native-international-phone-number (92K monthly downloads) and react-native-country-select (42K monthly downloads). The malware infected Windows, macOS, and Linux environments, resulting in credential theft, data exfiltration, and turning infected developer machines into proxy nodes, thereby risking supply chain integrity across multiple sectors reliant on open-source software. **Technical Details** The attack employed self-propagating malware delivered via trojanized VSCode extensions, compromised npm and Python packages, and poisoned GitHub repositories using stolen developer credentials. The malware used invisible Unicode characters to embed malicious code undetectable by code reviews and static analysis. Its command-and-control (C2) infrastructure was highly resilient, leveraging four channels: Solana blockchain transactions with encoded C2 addresses, BitTorrent Distributed Hash Table (DHT) for configuration data, Google Calendar event titles as Base64-encoded dead-drops, and traditional VPS-hosted servers. The payload included a Node.js remote access trojan (GlasswormRAT). IOCs include the Solana wallet address 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ and the CrowdStrike-operated IP 164.92.88[.]210. **Recommended Response** Organizations should immediately review network logs and endpoint telemetry for connections to IP 164.92.88[.]210 and deploy published YARA rules to detect Glassworm infections. Harden developer environments by enforcing multi-factor authentication, monitoring for unusual package updates, and restricting access to package registries. Monitor for anomalous use of Google Calendar events and blockchain activity related to Solana RPC endpoints. Coordinate with threat intelligence providers to track and block identified IOCs and ensure rapid patching and account recovery for compromised developer accounts.

Source articles (19)

  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — Itnews.Au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub — Cybersecuritynews · 2026-05-27
    A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th…
  • CrowdStrike disrupts Glassworm botnet targeting developers — Ground.News · 2026-05-27
    A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, th…
  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — www.itnews.com.au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • Glassworm botnet that targeted OS devs smashed to pieces — Computerweekly · 2026-05-27
    The Glassworm botnet that weaponised trusted developer tools and turned them on the open source community to poison hundreds of GitHub repositories with malicious code has been knocked out in a coordi…
  • Glassworm botnet disrupted after resilient C2 infrastructure takedown — Bleepingcomputer · 2026-05-27
    The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain…
  • CrowdStrike disrupts Glassworm botnet that preyed on open — Cyberscoop · 2026-05-27
    CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces…
  • CrowdStrike, Google Take Down Glassworm Botnet — Infosecurity-Magazine · 2026-05-27
    An industry effort involving CrowdStrike, Google and the Shadowserver Foundation has led to the disruption of the Glassworm botnet. Working together, the three organizations managed to simultaneously…
  • Npm Is Serving Malware To 134k Developers — www.endorlabs.com · 2026-05-27
    An attacker took over the npm account behind react-native-international-phone-number and react-native-country-select, publishing three waves of malicious versions containing malware linked to the Glas…
  • Command And Control Server CC Server — www.techtarget.com · 2026-05-27
    A command-and-control server (C&C server) is a computer that issues directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware . C&C servers can…
  • CrowdStrike and Google take down botnet used by hackers to target software developers in supply chain attacks — Techcrunch · 2026-05-27
    CrowdStrike, working with Google and Shadowserver, a nonprofit organization that scans and monitors the internet for cyberattacks, took down a botnet that cybercriminals used to push malware and steal…
  • CrowdStrike and Google dismantle botnet targeting developers — Zamin.Uz · 2026-05-27
    CrowdStrike, in collaboration with Google and the non-profit organization Shadowserver, has dismantled a major botnet used by cybercriminals to steal passwords and distribute malware among open-source…
  • CrowdStrike and Google dismantle Glassworm botnet that targeted developers ... — Cryptobriefing · 2026-05-27
    The botnet used Solana blockchain infrastructure for command-and-control operations while siphoning funds from dozens of cryptocurrency wallet extensions. A coordinated operation by CrowdStrike, Googl…
  • Google, CrowdStrike and Shadowserver take down Glassworm botnet targeting developers — Newsbytesapp · 2026-05-27
    Google, CrowdStrike, and Shadowserver just took down the Glassworm botnet, a hacking network that spent two years going after software developers. The group broke into more than 300 GitHub repositorie…
  • CrowdStrike, Google shatter Glassworm botnet — Theregister · 2026-05-27
    CrowdStrike, working with Google and the Shadowserver Foundation, said it has taken down the Glassworm botnet, a self-propagating, credential-stealing worm that has targeted developers and spread thro…
  • Glassworm First Self Propagating Worm Using Invisible Code Hits Openvsx Marketplace — www.koi.ai · 2026-05-27
    A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace. But GlassWorm isn't…
  • CrowdStrike, Google slay ‘unkillable’ Glassworm botnet targeting devs — cybernoz.com · 2026-05-27
  • CrowdStrike disrupts Glassworm botnet targeting developers — itbrief.in · 2026-05-27
  • Inside Crowdstrike Takedown Of A Developer Targeting Botnet — www.crowdstrike.com · 2026-05-27

Timeline

  • 2025-10-17 — Glassworm campaign first identified: Malicious VS Code extensions and npm packages began compromising developer environments.
  • 2026-05-26 — Glassworm botnet takedown: CrowdStrike, Google, and Shadowserver disrupted the botnet's C2 infrastructure, halting malware distribution.
  • 2026-05-27 — Public announcement of takedown: CrowdStrike confirmed the successful disruption of the Glassworm botnet and its operations.

Related entities

  • Botnet (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Trojan (Attack Type)
  • Worm (Attack Type)
  • Mini Shai-Hulud (Malware)
  • Glassworm (Malware)
  • GlasswormRAT (Malware)
  • Shai Hulud (Malware)
  • Axios (Platform)
  • BitTorrent (Platform)
  • BitTorrent DHT (Platform)
  • GitHub (Platform)
  • Google Calendar (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • OpenVSX Marketplace (Platform)
  • PyPI (Platform)
  • Solana (Platform)
  • Visual Studio Code (Platform)
  • VS Code Extension Store (Platform)
  • Windows (Platform)
  • Windsurf (Platform)
  • Solana Blockchain (Platform)
  • VSCode (Platform)
  • OpenAI (Company)
  • Cursor (Company)
  • OpenVSX (Company)
  • Russia (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • api.mainnet-beta.solana.com (Domain)
  • artifacts.in (Domain)
  • getblock.io (Domain)
  • gmail.com (Domain)
  • p2p.org (Domain)
  • rpc.ankr.com (Domain)
  • shuriken.xyz (Domain)
  • techcrunch.com (Domain)
  • [email protected] (Email)
  • 164.92.88.210 (Ipv4)
  • 217.69.3.218 (Ipv4)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1132 - Data Encoding (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Npm (Tool)
  • Node.js (Tool)
  • Positron (Tool)
  • Python (Tool)
  • VSCodium (Tool)
  • 59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed