Ground.News
Glassworm Botnet Targeting Developers Disrupted by CrowdStrike and Google
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Glassworm botnet, which has targeted software developers since early 2025, was taken down in a coordinated operation by CrowdStrike, Google, and the Shadowserver Foundation on May 26, 2026. This botnet utilized sophisticated command-and-control (C2) infrastructure, including the Solana blockchain, Google Calendar, and BitTorrent networks, to spread malware through compromised open-source packages and malicious VS Code extensions. The operation affected numerous systems across Windows, macOS, and Linux, compromising over 300 GitHub repositories and various npm and Python packages. The malware, known for its invisible code injection techniques, has been linked to credential theft and remote access capabilities. As of the takedown, all four C2 channels were severed, preventing further malware distribution. The attack's sophistication highlights a significant shift in targeting developers rather than just software products.
Key Points: • The Glassworm botnet targeted developers through compromised open-source tools since early 2025. • CrowdStrike and partners took down all four command-and-control channels on May 26, 2026. • The botnet's infrastructure included the Solana blockchain and Google Calendar for resilient operations.