An industry effort involving CrowdStrike, Google and the Shadowserver Foundation has led to the disruption of the Glassworm botnet.
Working together, the three organizations managed to simultaneously take down all four of Glassworm’s command-and-control (C2) channels, severing the operators from their infected machines and their ability to deliver new malicious payloads.
These channels included traditional C2 servers hosted on commercial virtual private servers (VPS).
The botnet also relied on less common and more stealthy assets, such as Google Calendar event titles which were used as dead-drop locations for Base64-encoded C2 paths, peer-to-peer networks and blockchain-based infrastructure, notably with C2 server addresses encoded in the memo fields of transactions on the Solana blockchain.
The Glassworm remote access tool queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike noted in a report published on May 26.
This is why the threat hunters had to disrupt all channels simultaneously.
“Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute,” CrowdStrike added.
Glassworm Tied to Poisonous VS Code Extensions, Npm and Python Packages
A household name in open-source software supply chain attacks, Glassworm has been a network of devices controlled by malicious operators since at least early 2025.
It had been used in several multi-pronged malicious campaigns targeting software developers by poisoning open-source packages they rely upon across Windows, macOS and Linux systems.
Some of the activities linked to Glassworm included trojanized extensions of Microsoft Visual Studio Code (VS Code), published to the OpenVSX marketplace, compromised npm and Python packages introducing malicious code through postinstall hooks and setup scripts and
More than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections, CrowdStrike added.
The company highlighted that Glassworm “marked a significant shift in the threat landscape” that should “serve as a wake-up call for every organization that ships or consumes software.”
“Adversaries are no longer just targeting products, they’re targeting the developers who build them. The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it,” CrowdStrike threat hunters warned.
