A coordinated operation by global tech giants and cybersecurity researchers has successfully disrupted the Glassworm botnet, a resilient threat that targeted software developers for months. This marks a significant victory for software supply-chain security.
Operation Details
According to a blog post by CrowdStrike, security teams from CrowdStrike, Google, and The Shadowserver Foundation cut off the botnet operators' access to their command-and-control (C2) network. The operation required a simultaneous strike across four distinct digital channels that the hackers had designed to resist conventional takedown efforts.
How Glassworm Caught Developers Off Guard
Active since October 2025, Glassworm specifically targeted software developers to steal cryptocurrency wallets and sensitive credentials. Hackers used multiple attack waves, including infected Microsoft VS Code and OpenVSX extensions. Dozens of dormant extensions on OpenVSX would only turn malicious after a software update. The attacks later expanded to GitHub repositories, with one campaign in March compromising over 400 software artifacts.
Resilient Infrastructure
Glassworm survived so long due to its highly resilient infrastructure. Instead of a standard central server, the botnet hid communication channels across blockchain technology, peer-to-peer networks, and legitimate web services. Researchers had to hit all four channels simultaneously to dismantle it:
- Solana blockchain: C2 server addresses encoded in memo fields of blockchain transactions, creating immutable dead-drops.
- BitTorrent Distributed Hash Table (DHT): Queried for configuration data against hardcoded public keys, leveraging a decentralized network.
- Public calendar service: Google Calendar event titles used as dead-drop locations for Base64-encoded C2 paths.
- Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers for final payload delivery.
Knocking out one or two channels would have been ineffective, as the malware would automatically shift to another live channel.
