HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Coordinated Takedown Neutralizes Glassworm Botnet Targeting Developers’ Supply Chains

On 26 May 2026, CrowdStrike, Google, and Shadowserver disabled all C2 channels of the Glassworm botnet, which had been compromising developers via poisoned npm packages, malicious IDE extensions, and compromised GitHub repos. The operation highlights the growing risk of supply‑chain attacks on development ecosystems and the need for robust third‑party risk controls.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Coordinated Takedown Neutralizes Glassworm Botnet Targeting Developers’ Supply Chains

What Happened – On 26 May 2026, CrowdStrike’s Counter‑Adversary Operations team, together with Google and the Shadowserver Foundation, simultaneously disabled all four command‑and‑control (C2) channels used by the Glassworm botnet. The operation halted a malware‑as‑service platform that had been compromising software developers through poisoned npm packages, malicious VS Code extensions, and compromised GitHub repositories since early 2025.

Why It Matters for TPRM

  • Supply‑chain compromises of development tools give threat actors unfettered access to source code, cloud credentials, and CI/CD pipelines across multiple downstream customers.
  • The use of resilient, multi‑layered C2 infrastructure (blockchain, BitTorrent DHT, Google Calendar) demonstrates a new level of sophistication that can evade traditional takedown methods.
  • A successful takedown shows the value of coordinated industry‑wide threat‑intel sharing and rapid response, a model TPRM programs should emulate when assessing third‑party risk.

Who Is Affected – Technology & SaaS vendors, cloud service providers, development tool marketplaces, and any organization that consumes open‑source packages or IDE extensions.

Recommended Actions

  • Review all third‑party development tools, IDE extensions, and package‑manager dependencies for provenance and integrity.
  • Enforce strict supply‑chain security controls (SBOMs, signed packages, automated dependency scanning).
  • Validate that vendors participate in threat‑intel sharing programs and have incident‑response capabilities for supply‑chain threats.

Technical Notes – Glassworm leveraged poisoned npm and Python packages, malicious OpenVSX extensions masquerading as legitimate tools, and compromised GitHub repos to deliver a stealthy dropper compiled with Zig. C2 resolution layers included immutable Solana blockchain memo fields, BitTorrent DHT entries, and Base64‑encoded paths hidden in Google Calendar event titles, all feeding payloads from traditional VPS servers. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192749/cyber-crime/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →