HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Glassworm Botnet Disrupted After Multi‑Channel C2 Takedown Halts Developer‑Targeted Supply‑Chain Attacks

Researchers from CrowdStrike, Google, and Shadowserver dismantled the resilient C2 infrastructure of the Glassworm botnet, ending its ability to deliver malicious VS Code extensions that stole crypto wallets and developer credentials. The operation highlights the need for rigorous third‑party extension vetting and monitoring of unconventional C2 channels.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Glassworm Botnet Disrupted After Multi‑Channel C2 Takedown Halts Developer‑Targeted Supply‑Chain Attacks

What Happened — Researchers from CrowdStrike, Google, and the Shadowserver Foundation jointly dismantled the four‑layer command‑and‑control (C2) infrastructure used by the Glassworm botnet. The botnet, which had been abusing malicious VS Code and OpenVSX extensions to steal cryptocurrency wallets and developer credentials, can no longer receive new instructions or payloads.

Why It Matters for TPRM

  • A supply‑chain threat that compromises development tools can propagate malicious code into any downstream product.
  • The botnet’s use of blockchain, BitTorrent DHT, and public calendar services illustrates how attackers can hide C2 traffic in legitimate, hard‑to‑block services.
  • Successful takedown shows the value of coordinated threat‑intel sharing; vendors must verify that their own tooling and CI/CD pipelines are not being leveraged as inadvertent C2 relays.

Who Is Affected — Software development firms, SaaS platforms, open‑source package registries (e.g., npm, OpenVSX), and any organization that integrates third‑party VS Code extensions.

Recommended Actions

  • Audit all third‑party extensions and plugins used in development environments.
  • Enforce strict code‑signing and provenance checks for VS Code extensions and npm packages.
  • Monitor blockchain transaction memos and public calendar events for anomalous patterns that could indicate dead‑drop activity.
  • Verify that your CSP and endpoint security solutions can detect non‑traditional C2 channels.

Technical Notes — The botnet leveraged four C2 channels: (1) Solana blockchain memo fields, (2) BitTorrent Distributed Hash Table, (3) Google Calendar event titles, and (4) traditional VPS‑hosted servers. Malicious extensions harvested cryptocurrency wallet seeds and developer credentials. No CVE was directly involved; the threat relied on abuse of legitimate services. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →