CrowdStrike, Google Team Up to Disrupt Sophisticated Glassworm Botnet Targeting Developers
An industry collaboration between CrowdStrike, Google and the Shadowserver Foundation has disrupted the Glassworm botnet, a stealthy network that targeted software developers by poisoning open-source packages and stealing credentials.
CrowdStrike, Google and the Shadowserver Foundation have jointly disrupted the Glassworm botnet, a sophisticated malware network that has been targeting software developers since early 2025. The takedown, announced on May 26, involved simultaneously severing all four of the botnet's command-and-control (C2) channels, preventing operators from re-establishing control over infected machines or delivering further payloads.
The botnet's infrastructure was unusually layered, blending traditional C2 servers hosted on commercial virtual private servers with more esoteric channels. According to CrowdStrike's report, the operators used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths. They also encoded C2 server addresses in the memo fields of Solana blockchain transactions and queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys. This multi-channel design made a single-point takedown ineffective; all channels had to be neutralized at once.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike noted. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute.”
Glassworm is a familiar name in the open-source software supply chain attack space. The botnet was used in multi-pronged campaigns that poisoned developer environments with trojanized VS Code extensions published to the OpenVSX marketplace, compromised npm and Python packages that introduced malicious code via postinstall hooks and setup scripts, and poisoned more than 300 GitHub repositories using stolen developer credentials harvested from earlier infections.
The disruption operation involved sinkholing the botnet's C2 infrastructure and seizing associated domains. No arrests have been announced, and CrowdStrike has not attributed Glassworm to any specific state-backed or criminal group. However, the company stressed that the threat represents a significant shift: attackers are now directly targeting the software development supply chain, not just end users.
“Adversaries are no longer just targeting products, they're targeting the developers who build them. The barrier to poisoning a package or extension is low; the potential blast radius is enormous,” CrowdStrike threat hunters warned. The company urged organizations to better protect developer environments, build pipelines, and code repositories, noting that “every organization that consumes software inherits the risk of everyone who produces it.”
CrowdStrike provided additional detail on Tuesday, revealing that the operation involved the simultaneous takedown of four attacker-controlled servers designed to obscure the botnet's operations and remain resilient against disruption, with the broader goal of forcing the adversary to spend time and resources rebuilding infrastructure rather than targeting victims. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop that the countermeasures removed 'the connective tissue of the operation to create cascading operational pain,' and emphasized that when threat actors operate from jurisdictions where law enforcement cooperation is limited, dismantling infrastructure becomes one of the most effective available tools.