HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

GlassWorm Malware Infrastructure Disrupted, Halting Supply‑Chain Attack on Software Developers

CrowdStrike, Google, and Shadowserver have taken down all command‑and‑control servers used by the GlassWorm campaign, which has been delivering malicious packages to developers since early 2025. The takedown prevents further compromise of software supply chains, a critical concern for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

GlassWorm Malware Infrastructure Disrupted, Halting Supply‑Chain Attack on Software Developers

What Happened – CrowdStrike, together with Google and the Shadowserver Foundation, seized and disabled every known command‑and‑control (C2) server used by the GlassWorm campaign. The operation stops a persistent supply‑chain threat that has been delivering malicious packages and extensions to software developers since early 2025.

Why It Matters for TPRM

  • Supply‑chain compromises can cascade to dozens of downstream customers and partners.
  • Malicious developer tools bypass many traditional security controls, exposing organizations to credential theft, data exfiltration, and ransomware.
  • A coordinated takedown demonstrates the value of shared threat intel and rapid response across the ecosystem.

Who Is Affected – Technology & SaaS firms, software development houses, open‑source package registries, and any organization that integrates third‑party libraries or IDE extensions.

Recommended Actions

  • Review all third‑party libraries, plugins, and build‑tool dependencies for unexpected changes.
  • Enforce strict provenance checks (e.g., signed packages, SBOM verification).
  • Validate that your development vendors have active monitoring for supply‑chain threats and incident‑response playbooks.

Technical Notes – The GlassWorm actors leveraged compromised developer accounts to publish malicious npm, PyPI, and VS Code extensions. The C2 infrastructure relied on fast‑flux DNS and cloud‑hosted servers. No specific CVE was cited; the attack vector was a third‑party dependency compromise. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →