The GlassWorm botnet that has been targeting the open source software ecosystem for over six months has been disrupted, cybersecurity firm CrowdStrike reports.
Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm’s four command-and-control (C&C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads.
The malware has been using the Solana blockchain for C&C infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial VPS providers serving as backup C&Cs.
GlassWorm’s operators have been encoding C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted.
The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&C paths in event titles, and the traditional C&C servers were used to host payloads.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C&C servers behind multiple layers of indirection,” CrowdStrike notes.
By taking down all four channels at the same time, the cybersecurity firms severed the operators’ access to the infected machines and their ability to deliver new instructions.
First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.
The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.
In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.
“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.
GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.
The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.
According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.
“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.
In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.
“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.
Related: ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested
Related: Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’
Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
