CrowdStrike disrupts Glassworm botnet targeting developers

CrowdStrike, Google and the Shadowserver Foundation have disrupted the Glassworm botnet, cutting off all four of its command-and-control channels.

The botnet targeted software developers through the open-source supply chain, using trojanised coding extensions, compromised software packages and stolen credentials tied to code repositories. The action severed operators from infected machines and blocked their ability to send new malicious payloads, according to CrowdStrike.

Glassworm had been active since at least early 2025 and affected Windows, macOS and Linux systems. The campaign focused on developers because their access to source code repositories, cloud services, CI/CD pipelines and package registries can open a path into many other organisations.

More than 300 GitHub repositories were poisoned after attackers used credentials harvested from earlier infections, CrowdStrike said. Malicious code was force-pushed into default branches, creating a route for broader software supply-chain compromise.

The threat

The operation relied on a broad set of delivery methods. Malicious Visual Studio Code extensions were published to the OpenVSX marketplace and disguised as routine developer tools such as time trackers and code formatters. The extensions also targeted related editors including Cursor, Positron, Windsurf and VSCodium.

Attackers also planted malicious npm and Python packages. These used post-install hooks and setup scripts to run code during normal dependency installation, a technique that can reach developer machines with little friction.

Once installed, the malware could steal information, harvest credentials and deploy a Node.js remote access tool known as GlasswormRAT. That access gave the operators a way to move from an individual workstation into broader development environments and software distribution channels.

Four channels

Glassworm's infrastructure was designed to survive partial disruption, CrowdStrike said. Its command-and-control setup used four separate channels: Solana blockchain transactions, the BitTorrent distributed hash table, a public calendar service and direct server connections hosted on commercial virtual private server providers.

In one method, command-and-control server addresses were encoded in the memo fields of blockchain transactions. In another, the malware queried the BitTorrent peer-to-peer network for configuration data linked to hardcoded public keys.

The group also used Google Calendar event titles as dead-drop locations for Base64-encoded command-and-control paths. Direct server links served as the final mechanism for payload delivery.

Because of that design, taking down one route would have left the others available. All four channels had to be hit at the same time to stop the operators from quickly rebuilding access, according to CrowdStrike.

Attribution signs

CrowdStrike said the criminals are likely based in Russia, though it stopped short of making a definitive attribution. It cited malware that checks a victim machine's locale, language settings and time zone, then exits if the system appears to be in a Commonwealth of Independent States country, along with Russian-language comments in source code.

The company noted that neither sign is conclusive on its own. Locale checks can be copied, and code comments do not always indicate a native speaker, but CrowdStrike said the pattern remained consistent across more than a year of observed activity.

Detection advice

To help organisations identify possible infections, Glassworm-infected machines now beacon to a benign IP address operated by CrowdStrike. The company advised security teams to review network logs and endpoint telemetry for connections to 164.92.88[.]210, saying any match indicates a Glassworm infection that requires immediate remediation.

CrowdStrike also published YARA rules intended to help confirm infections on identified hosts. The rules focus on strings associated with GlasswormRAT scripts and an obfuscated Python installer used by another Glassworm variant.

The case underlines the pressure on software supply chains, where malicious packages and extensions can spread through dependency updates in seconds and many package ecosystems have limited built-in controls. With millions of packages across repositories such as npm, PyPI, OpenVSX and GitHub, defenders often discover abuse only after code has already been installed.

In its account of the operation, CrowdStrike argued that established software supply-chain threats cannot be addressed through detection alone and that active disruption of attacker infrastructure is needed alongside conventional monitoring and remediation.

"Adversaries are no longer just targeting products, they're targeting the developers who build them," CrowdStrike said.