CrowdStrike and Google Unite to Dismantle Glassworm Botnet Targeting Open Source Developers

TL;DR

• CrowdStrike, Google, and the Shadowserver Foundation disrupted the Glassworm botnet by taking down all four of its command-and-control channels at the same time.
• Glassworm had targeted open-source developers and software supply chains using malicious packages, trojanized extensions, and stolen credentials.
• The takedown cuts off new payload delivery, but security teams are being urged to check for signs of compromise, including connections to a benign CrowdStrike IP.

A coordinated takedown against a resilient botnet

CrowdStrike says it has dismantled the Glassworm botnet in a coordinated operation with Google and the Shadowserver Foundation, stripping the operators of access to infrastructure used to infect open-source software projects since early 2025. The action targeted all four of Glassworm’s command-and-control channels simultaneously, a step CrowdStrike said was necessary because taking down only one channel would have allowed the operators to quickly rebuild access.

The operation is notable because Glassworm was designed to be difficult to kill. Its infrastructure used layered communication paths, including the Solana blockchain, BitTorrent’s peer-to-peer network, Google Calendar, and virtual private servers hosted by commercial providers. CrowdStrike described the setup as a resilient system of indirection meant to hide the real C2 servers behind multiple layers.

How Glassworm operated

Glassworm was used in malicious campaigns aimed at software developers across the open-source ecosystem, with activity reported since at least early 2025. According to the reporting, the campaign poisoned open-source packages and used trojanized coding extensions, compromised software packages, and stolen credentials tied to code repositories.

The botnet’s design made traditional takedown efforts less effective. Researchers said the operators relied on four separate communication methods, including blockchain-based dead drops, peer-to-peer retrieval, public calendar services, and direct server connections. That mix of public and distributed services helped obscure the true infrastructure behind the campaign.

Why the takedown mattered

CrowdStrike said the coordinated strike severed the operators from infected machines and blocked their ability to deliver new malicious payloads. By disrupting all four channels at once, the defenders prevented the attackers from simply shifting to a surviving path and reconstituting operations.

The public messaging from CrowdStrike also suggests the broader goal was not only disruption, but containment. Adam Meyers, the company’s senior vice president of counter adversary operations, said the operation slowed the attackers’ momentum and cut off the critical services they relied on to scale. In practice, that means fewer opportunities for the threat actors to continue spreading malware through developer tooling and package ecosystems.

What developers and companies need to know

The Glassworm campaign is another reminder that open-source software supply chains remain a high-value target for cybercriminals. Developers often have access to source code repositories, CI/CD pipelines, cloud environments, and package registries, making them attractive entry points for attackers seeking broader access to corporate networks.

Security teams were advised to look for signs of compromise in network logs and endpoint telemetry. One reported indicator is traffic to the benign IP address 164.92.88[.]210, which CrowdStrike said infected machines are now being instructed to contact. Any match to that address is treated as a sign of potential Glassworm infection requiring immediate remediation.

The larger fight over open-source trust

The Glassworm disruption fits a pattern that has become increasingly familiar in software supply-chain security: attackers abuse trusted developer tools and legitimate services to blend into normal activity. By using familiar platforms such as Google Calendar and distributed networks like BitTorrent and Solana, Glassworm made detection and disruption harder than with a conventional single-server botnet.

For companies that depend on open-source software, the case reinforces the need for stronger package vetting, extension review, credential hygiene, and telemetry that can spot unusual developer activity early. For the open-source community, it is another example of how defenders now have to fight not just malware, but the abuse of the infrastructure developers rely on every day.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.