Cybersecurity Alliance: CrowdStrike and Google Dismantle Glassworm Botnet Targeting Developers
TL;DR
- CrowdStrike, with Google and the Shadowserver Foundation, says it dismantled the Glassworm botnet by taking down all four of its command-and-control channels at once.
- Glassworm had been targeting software developers since at least early 2025, using trojanized extensions, compromised packages, and stolen credentials to poison open-source supply chains.
- The takedown stops new payload delivery, but defenders are still being urged to hunt for infections using CrowdStrike’s IP indicator and YARA rules.
CrowdStrike and Google have disrupted the Glassworm botnet, a supply-chain threat that was used to infect open-source software projects and developers’ environments with malware. The operation cut off the botnet’s operators from their infrastructure, but security teams are still being told to look for signs of compromise across developer systems and package pipelines.
A coordinated strike against a resilient botnet
CrowdStrike said the takedown was carried out on May 26, 2026, in collaboration with Google and the Shadowserver Foundation. The operation hit all four of Glassworm’s command-and-control channels at the same time, which mattered because the botnet was built to survive partial disruption and quickly rebuild if only one channel was removed.
According to CrowdStrike, those communication layers included the Solana blockchain, BitTorrent’s distributed hash table, Google Calendar, and traditional virtual private servers. By severing all four simultaneously, the defenders cut off infected machines from new instructions and prevented the operators from pushing fresh malicious payloads.
How Glassworm targeted the software supply chain
Glassworm was aimed squarely at software developers, a group that can unintentionally become a gateway into many downstream organizations. CrowdStrike said the campaign used trojanized VS Code extensions, compromised npm and Python packages, and stolen developer credentials to gain access to code repositories and delivery pipelines.
Researchers say the operators poisoned more than 300 GitHub repositories and used that access to push malicious code into default branches. The malware also spread across Windows, macOS, and Linux systems, where it performed credential theft, information theft, and remote access functions through a Node.js-based payload called GlasswormRAT.
Why developers were such high-value targets
The significance of the campaign is not just that it hit individual developers, but that it weaponized their trusted access. CrowdStrike noted that compromising a single developer workstation can cascade into a broader supply-chain compromise affecting thousands of users and companies downstream.
That is what makes attacks like Glassworm especially dangerous: they do not merely break into one environment, they aim to contaminate the software that many other teams depend on. In practice, that means a developer who installs a malicious extension or package may unknowingly seed infections across internal builds, CI/CD systems, and customer deployments.
What organizations should do now
CrowdStrike said infected machines now beacon to a benign CrowdStrike-operated IP address, 164.92.88[.]210, which can help organizations identify possible compromises in logs and endpoint telemetry. The company also published YARA rules intended to help confirm infections on affected hosts.
For defenders, the immediate priority is to check developer endpoints, build systems, package registries, and GitHub activity for anomalies tied to the campaign. Because Glassworm used stolen credentials and multiple delivery paths, a clean network perimeter alone is not enough to rule out exposure.
Why this takedown matters beyond Glassworm
The operation underscores a broader shift in software supply-chain attacks: adversaries are increasingly targeting the people and tools that build software, not just the software itself. Adam Meyers of CrowdStrike described the takedown as a warning sign for every organization that ships or consumes code, because the developer is now a primary entry point for attackers.
Even with the botnet disrupted, the underlying risk remains. Open-source ecosystems depend on trust, fast reuse, and automated delivery, which makes them attractive targets when attackers want scale, persistence, and downstream reach.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!