Executive Summary
On May 26, 2026, a coordinated operation led by CrowdStrike, in partnership with Google and the Shadowserver Foundation, successfully disrupted the GlassWorm malware infrastructure, which had been actively targeting the global software development supply chain since early 2025. The takedown simultaneously neutralized all four of GlassWorm’s command-and-control (C2) channels, effectively severing the operators’ ability to control infected machines and deliver new malicious payloads. GlassWorm’s campaign marked a significant escalation in supply chain threats by directly targeting developers and their tools, including Visual Studio Code (VSCode) extensions, npm and Python packages, and GitHub repositories. The operation’s success demonstrates the effectiveness of cross-sector collaboration and precision disruption against resilient adversary infrastructure. All technical claims and findings in this report are corroborated by primary sources from CrowdStrike (https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/), ComputerWeekly (https://www.computerweekly.com/news/366643675/Glassworm-botnet-that-targeted-OS-devs-smashed-to-pieces), and Anomali (https://www.anomali.com/blog/anomali-cyber-watch-robot-malware-suite-glassworm-vidar-stealer-2-0).
Technical Information
GlassWorm is a sophisticated malware campaign that exploited the software development ecosystem through a multi-pronged approach. The operators published trojanized VSCode extensions to the OpenVSX marketplace, disguised as legitimate tools such as time trackers and code formatters. These malicious extensions also targeted other developer environments, including Cursor, Positron, Windsurf, and VSCodium. In parallel, the attackers introduced compromised npm and Python packages, leveraging postinstall hooks and setup scripts to execute malicious code silently during routine dependency installations.
A critical aspect of GlassWorm’s propagation was the use of stolen developer credentials, harvested from earlier infections, to poison over 300 GitHub repositories by force-pushing malicious code into default branches. The malware’s self-propagation capabilities enabled it to use infected developer systems to automatically publish new infected extensions, accelerating its spread across the ecosystem. By October 2025, at least 35,000 developer installations had been compromised, according to Anomali (https://www.anomali.com/blog/anomali-cyber-watch-robot-malware-suite-glassworm-vidar-stealer-2-0).
The core payload, GlasswormRAT, is a full-featured Node.js remote access trojan (RAT) capable of information theft, credential harvesting, SOCKS proxy deployment, and hidden VNC client installation for persistent access. The malware targeted credentials from npm, GitHub, OpenVSX, and nearly 50 types of crypto-wallets. It also deployed SOCKS proxies and hidden VNC clients to maintain long-term access to compromised systems.
GlassWorm’s C2 infrastructure was engineered for resilience, utilizing four distinct channels: - The Solana blockchain was used to encode C2 server addresses in transaction memo fields, creating immutable, publicly accessible dead-drops. - The BitTorrent Distributed Hash Table (DHT) stored configuration data against hardcoded public keys, leveraging a decentralized peer-to-peer network. - Google Calendar event titles served as dead-drops for Base64-encoded C2 paths. - Traditional C2 servers were hosted on commercial virtual private server (VPS) providers for payload delivery.
This multi-layered architecture was specifically designed to resist traditional takedown efforts, requiring simultaneous disruption of all channels to prevent rapid reconstitution by the operators. The takedown operation on May 26, 2026, achieved this by striking all four channels at once, effectively neutralizing the botnet’s operational capabilities (https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/).
GlassWorm’s campaign targeted Windows, macOS, and Linux environments, with the primary objective of compromising developers who have access to source code repositories, cloud platforms, CI/CD pipelines, and package registries. The attackers’ strategy was to leverage the high-value access of developers to orchestrate supply chain compromises that could impact thousands of downstream organizations and users.
Attribution analysis suggests the operators are likely based in Russia, as evidenced by the malware’s runtime checks for CIS country locale, language, and timezone, as well as Russian-language comments in the source code. However, this attribution remains at medium confidence, as such indicators can be mimicked by other actors (https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/).
The campaign’s technical sophistication is further highlighted by its use of invisible Unicode characters to embed malicious code, enabling it to bypass both automated and manual reviews. The infection vectors and credential theft mechanisms are mapped to multiple MITRE ATT&CK techniques, including T1195 (Supply Chain Compromise), T1555.003 (Credentials from Password Stores), T1552.001 (Unsecured Credentials), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1105 (Ingress Tool Transfer), T1021.005 (Remote Services: VNC), and T1090 (Proxy) (https://www.anomali.com/blog/anomali-cyber-watch-robot-malware-suite-glassworm-vidar-stealer-2-0).
Affected Versions & Timeline
The GlassWorm campaign began in early 2025, with initial infections detected in VSCode and OpenVSX extension registries. By October 2025, at least 35,000 developer installations had been compromised. Throughout 2025 and into 2026, the operators expanded their activities to include npm, PyPI, and GitHub, using stolen credentials to poison over 300 repositories. The campaign targeted all major operating systems—Windows, macOS, and Linux—and affected a wide range of developer tools and package ecosystems.
The coordinated takedown of GlassWorm’s infrastructure occurred on May 26, 2026, at 14:00 UTC, when all four C2 channels were disrupted simultaneously by CrowdStrike, Google, and the Shadowserver Foundation. This action effectively halted the operators’ ability to control infected machines and deliver new payloads. The following day, ComputerWeekly published a post-mortem and sector analysis of the incident (https://www.computerweekly.com/news/366643675/Glassworm-botnet-that-targeted-OS-devs-smashed-to-pieces).
Threat Activity
GlassWorm’s operators conducted an extensive, multi-faceted campaign targeting the software development supply chain. Their primary tactics included publishing trojanized VSCode extensions to the OpenVSX marketplace, introducing malicious npm and Python packages, and using stolen developer credentials to poison GitHub repositories. The malware’s self-propagation capabilities allowed it to leverage infected developer systems to publish new malicious extensions, facilitating rapid and widespread infection.
The campaign’s objectives were credential and data theft, persistent access via remote access tools, and the potential for large-scale supply chain compromise. The attackers targeted credentials from npm, GitHub, OpenVSX, and crypto-wallets, with the intent to further propagate the malware and enable extortion or data theft. The use of a resilient, multi-layered C2 infrastructure made the campaign particularly challenging to disrupt.
GlassWorm’s technical innovation included the use of the Solana blockchain and BitTorrent DHT for C2 operations, as well as leveraging legitimate web services like Google Calendar for dead-drop communication. This approach provided multiple layers of redundancy and made traditional takedown methods ineffective unless all channels were addressed simultaneously.
The campaign’s impact extended across the software development sector, with the potential to compromise thousands of downstream organizations through poisoned packages and repositories. The attackers’ focus on developers as high-value targets underscores the evolving threat landscape, where compromising the tools and processes of software creation can have far-reaching consequences.
Mitigation & Workarounds
The following mitigation and remediation steps are prioritized by severity:
Critical: Organizations should immediately review network logs and endpoint telemetry for connections to the CrowdStrike-operated IP address 164.92.88[.]210. Any match indicates a GlassWorm infection and requires urgent remediation. Infected systems should be isolated, thoroughly investigated, and reimaged if necessary. All credentials, especially those for npm, GitHub, OpenVSX, and crypto-wallets, must be rotated.
High: Audit all installed VSCode extensions, npm and Python packages, and verify the integrity of code repositories. Remove any suspicious or unauthorized extensions and packages. Review recent changes to repositories for unauthorized commits or force-pushes.
Medium: Implement strict access controls and multi-factor authentication (MFA) for all developer accounts and code repositories. Monitor for unusual activity, such as unexpected package updates or repository modifications.
Low: Educate developers and IT staff about the risks of supply chain attacks and the importance of verifying the authenticity of extensions and packages before installation. Encourage the use of security tools that can detect anomalous behavior in developer environments.
Detection alone is insufficient, as malicious packages can be installed rapidly and may evade traditional security controls. Proactive measures, including regular audits, credential hygiene, and network monitoring, are essential to mitigate the risk of future supply chain attacks.
References
CrowdStrike Official Blog: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/ ComputerWeekly News Report: https://www.computerweekly.com/news/366643675/Glassworm-botnet-that-targeted-OS-devs-smashed-to-pieces Anomali Threat Research: https://www.anomali.com/blog/anomali-cyber-watch-robot-malware-suite-glassworm-vidar-stealer-2-0
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain. Our platform enables continuous visibility into vendor dependencies, package integrity, and ecosystem exposures, supporting proactive detection and response to supply chain threats. For questions or further guidance, contact us at ops@rescana.com.
