A coordinated operation involving CrowdStrike, Google, and the Shadowserver Foundation reportedly disrupted the infrastructure behind the GlassWorm botnet, a malware operation that had been targeting developers and open source ecosystems for months. According to statements released by CrowdStrike, the operation focused on disabling all known command-and-control channels used by the malware simultaneously, preventing infected systems from receiving additional payloads or instructions.
GlassWorm drew attention over the past year due to its focus on software developers and its use of unconventional infrastructure designed to survive traditional takedown efforts. The campaign reportedly affected multiple operating systems and spread across several open source ecosystems, including VSCode extensions, GitHub repositories, npm packages, and Python projects.
Multi-Layered Command Infrastructure
Researchers stated that GlassWorm relied on four separate command-and-control mechanisms operating at the same time. The malware allegedly used the Solana blockchain to store encoded server addresses inside transaction memo fields, allowing operators to distribute infrastructure details through a decentralized and effectively permanent platform.
In addition to blockchain-based infrastructure, the malware reportedly used the BitTorrent distributed hash table network to retrieve configuration data linked to hardcoded public keys. CrowdStrike also claimed the operators abused Google Calendar events by embedding Base64-encoded command paths into event titles. Traditional VPS-hosted servers were then used to host payloads and maintain direct communications with infected systems. According to the companies involved in the operation, all four channels had to be disrupted simultaneously to prevent the operators from quickly rebuilding access to infected machines.
Developers and Open Source Ecosystems Targeted
GlassWorm was first identified in late 2025 after malicious Visual Studio Code extensions appeared on the OpenVSX marketplace. The extensions reportedly impersonated legitimate developer tools, including formatters and productivity utilities, while silently deploying malware onto victim systems.
Researchers later observed the campaign expanding beyond VSCode extensions. Compromised GitHub repositories, malicious npm packages, and poisoned Python projects were all linked to the operation over time. CrowdStrike claimed that more than 300 GitHub repositories were modified using stolen developer credentials collected from previously infected systems. The malware family reportedly targeted a wide range of development environments, including Cursor, Windsurf, Positron, VSCodium, and other VSCode-based platforms.
Credential Theft and Remote Access Capabilities
According to published findings, GlassWorm was designed primarily for credential theft and long-term persistence. The malware allegedly collected GitHub, Git, and npm credentials while also targeting cryptocurrency browser extensions and wallets. Researchers stated that infected systems could also be converted into SOCKS proxy nodes and accessed remotely through hidden VNC instances. CrowdStrike described one component, referred to as GlasswormRAT, as a full-featured Node.js-based remote access tool capable of deploying additional payloads and maintaining control over compromised machines. The campaign reportedly evolved continuously throughout its activity, with operators shifting development from JavaScript to Rust and later Zig while expanding into additional software ecosystems.
Obfuscation and Evasion Techniques
One of the more unusual techniques associated with GlassWorm involved the use of Unicode variation selectors to conceal malicious code inside source files. The hidden characters reportedly allowed parts of the malware to remain invisible in certain code editors while still executing normally. Researchers also claimed the malware checked a victim system’s locale, language settings, and timezone before executing. Systems located in CIS countries were allegedly excluded from infection. CrowdStrike stated that Russian-language comments were also found throughout parts of the source code, although the company stopped short of presenting this as definitive attribution.
Infection Monitoring and Detection
Following the disruption operation, CrowdStrike stated that infected systems were redirected to communicate with a benign IP address controlled by the company. Organizations were advised to monitor outbound traffic for connections to 164.92.88[.]210, which researchers said could indicate a compromised machine. The company also released YARA rules intended to help identify GlassWorm-related payloads and installers on infected hosts.
Supply Chain Risks Continue to Grow
The GlassWorm campaign highlights the increasing focus on developers and software supply chains as attack surfaces. By compromising developer workstations, repositories, or package ecosystems, attackers can potentially gain indirect access to a much larger number of downstream targets.
Researchers involved in the takedown argued that traditional detection methods alone are often too slow to prevent damage in modern package ecosystems, where malicious updates can spread within minutes. They also described GlassWorm as an example of how threat actors are building increasingly resilient infrastructure designed to survive partial disruptions and infrastructure seizures. While the long-term impact of the operation remains unclear, the disruption appears to have temporarily severed active communications between the botnet operators and infected systems.
No comments yet — be the first.
Join the conversation
Log in to leave a comment