May 28, 2026 11:28:00

CrowdStrike and Google have blocked 'Glassworm,' a botnet targeting open-source software developers.

CrowdStrike has announced that it has collaborated with Google and the Shadowserver Foundation to launch an operation to block Glassworm , a botnet that targets open-source software distribution networks. Glassworm is considered a threat that can compromise developers' devices and credentials, potentially spreading damage to downstream organizations and users.

Inside CrowdStrike's Takedown of a Developer-Targeting Botnet

https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/

CrowdStrike and Google take down botnet used by hackers to target open source software developers | TechCrunch
https://techcrunch.com/2026/05/27/crowdstrike-and-google-take-down-botnet-used-by-hackers-to-target-software-developers-in-supply-chain-attacks/

According to CrowdStrike, Glassworm attackers have been continuously targeting developers with access to source code repositories, cloud infrastructure, CI/CD pipelines, and package registries since at least early 2025. This is because a compromise on just one developer's device can have widespread impacts on numerous downstream organizations and users.

In attacks using Glassworm, malicious VS Code extensions were published on the OpenVSX Marketplace disguised as time management or code formatting tools. These extensions targeted not only VS Code but also Cursor, Positron, Windsurf, and VSCodium. Glassworm also embedded malicious code in npm and Python packages, using a mechanism to silently execute it during normal dependency installation. Furthermore, it is alleged that Glassworm used developer credentials stolen in previous infections to forcibly insert malicious code into the default branches of over 300 GitHub repositories.

Glassworm's foundation consisted of four command-and-control (C2) paths: the Solana blockchain, BitTorrent's distributed hash table, Google Calendar, and a direct connection to a commercial VPS. CrowdStrike explained that they needed to block all four paths simultaneously because attackers could recover if any one of them was stopped.

CrowdStrike claims that the criminals behind Glassworm are likely based in Russia. As evidence, they cite that the malware checks the victim's device's region, language settings, and time zone, and terminates if it determines the device is located in a Commonwealth of Independent States country, as well as the presence of Russian-language comments in the source code.

CrowdStrike explains that, as a network indicator for confirming infection, devices infected with Glassworm will communicate with a harmless IP address (164.92.88.210) used by CrowdStrike's operations. If this communication is confirmed in logs or endpoint records, it is considered a Glassworm infection and immediate action is required.

CrowdStrike emphasized that post-incident detection alone is insufficient in software supply chain attacks. They stated that since malicious packages can be installed in seconds through dependency updates, it is necessary to proactively dismantle the attack infrastructure itself.