CrowdStrike Disrupts Glassworm Botnet Targeting Developers via Fake npm Packages
CrowdStrike disrupted the Glassworm botnet, which targeted software developers by distributing malware through fake npm packages to steal credentials and mine cryptocurrency.

CrowdStrike has announced the disruption of a sophisticated botnet operation codenamed Glassworm, which specifically targeted software developers by distributing malicious packages through the npm registry. The takedown involved sinkholing command-and-control (C2) infrastructure and seizing domains used by the threat actors.
The Glassworm campaign relied on typosquatting and other deceptive techniques to publish fake npm packages that mimicked popular libraries. When developers unknowingly installed these malicious packages, their machines became infected with malware capable of credential theft, cryptomining, and further compromise of development environments.
CrowdStrike's investigation revealed that the botnet's infrastructure was designed to evade detection by using encrypted communications and regularly rotating C2 domains. The sinkholing operation redirected traffic from infected machines to servers controlled by CrowdStrike, allowing the company to map the botnet's scale and identify victims.
The disruption is part of a broader trend of threat actors increasingly targeting the software supply chain. By compromising developer machines, attackers can gain access to proprietary code, API keys, and cloud credentials, enabling lateral movement into enterprise networks. The use of legitimate package registries like npm makes such attacks particularly insidious, as developers often trust these sources implicitly.
CrowdStrike has not attributed the Glassworm operation to any specific threat group but noted that the tactics align with financially motivated cybercriminal activity. The company has shared indicators of compromise (IOCs) with the security community to help organizations detect and remediate infections.
This takedown underscores the importance of supply chain security and the need for developers to verify package authenticity, use integrity checks, and monitor for unusual behavior in their development environments. CrowdStrike recommends that organizations implement software composition analysis (SCA) tools and enforce policies for package sourcing to mitigate similar threats.
New reporting from CrowdStrike and Sonatype reveals the Glassworm campaign has expanded beyond npm to also abuse PyPI, OpenVSX, and GitHub, with malicious VS Code extensions and hijacked React Native npm packages (over 30,000 weekly downloads) infecting roughly 35,800 developers since October 2025. The multi-stage malware now uses the Solana blockchain as a censorship-resistant C2 channel, reading instructions from transaction memos that cannot be deleted once recorded on-chain. CrowdStrike also detailed that the malware injects malicious code into repositories while preserving the original commit author and date, and deploys a persistent WebSocket-based backdoor alongside a malicious Chrome extension to capture browser session data.
CrowdStrike, in collaboration with Google and the Shadowserver Foundation, simultaneously took down all four of GlassWorm's command-and-control channels, which included Solana blockchain, Google Calendar, BitTorrent, and traditional VPS servers. The takedown severed the operators' access to infected machines and prevented delivery of new payloads. CrowdStrike also instructed infected machines to beacon to a benign IP address (164.92.88[.]210) for detection purposes.
In a coordinated operation yesterday, CrowdStrike, Google, and The Shadowserver Foundation simultaneously disrupted all four of Glassworm's C2 channels—Solana blockchain transactions, BitTorrent DHT, Google Calendar event titles, and direct VPS connections—cutting off the botnet's ability to issue new instructions. Infected machines now beacon to a CrowdStrike-operated IP (164.92.88.210), and the researchers have released YARA rules to help organizations confirm infections. The takedown follows recent Glassworm activity that planted dormant malicious extensions on OpenVSX and impacted over 400 software artifacts in a single March campaign.
The takedown, executed by CrowdStrike, Google, and the Shadowserver Foundation, simultaneously neutralized all four C2 channels — including Solana blockchain dead drops, BitTorrent DHT, Google Calendar, and commercial VPS servers — preventing infected machines from receiving new instructions. CrowdStrike attributed the campaign to likely Russia-based cybercriminals and noted that over 300 GitHub repositories were poisoned using stolen developer credentials. The operation also revealed that GlassWorm deployed a Websocket-based JavaScript RAT (GlassWormRAT) to steal browser data, keystrokes, and clipboard content, and converted infected hosts into SOCKS proxies and hidden VNC servers.