Coordinated Takedown Neutralizes Glassworm Botnet Targeting Developers’ Supply Chains
What Happened – On 26 May 2026, CrowdStrike’s Counter‑Adversary Operations team, together with Google and the Shadowserver Foundation, simultaneously disabled all four command‑and‑control (C2) channels used by the Glassworm botnet. The operation halted a malware‑as‑service platform that had been compromising software developers through poisoned npm packages, malicious VS Code extensions, and compromised GitHub repositories since early 2025.
Why It Matters for TPRM –
- Supply‑chain compromises of development tools give threat actors unfettered access to source code, cloud credentials, and CI/CD pipelines across multiple downstream customers.
- The use of resilient, multi‑layered C2 infrastructure (blockchain, BitTorrent DHT, Google Calendar) demonstrates a new level of sophistication that can evade traditional takedown methods.
- A successful takedown shows the value of coordinated industry‑wide threat‑intel sharing and rapid response, a model TPRM programs should emulate when assessing third‑party risk.
Who Is Affected – Technology & SaaS vendors, cloud service providers, development tool marketplaces, and any organization that consumes open‑source packages or IDE extensions.
Recommended Actions –
- Review all third‑party development tools, IDE extensions, and package‑manager dependencies for provenance and integrity.
- Enforce strict supply‑chain security controls (SBOMs, signed packages, automated dependency scanning).
- Validate that vendors participate in threat‑intel sharing programs and have incident‑response capabilities for supply‑chain threats.
Technical Notes – Glassworm leveraged poisoned npm and Python packages, malicious OpenVSX extensions masquerading as legitimate tools, and compromised GitHub repos to deliver a stealthy dropper compiled with Zig. C2 resolution layers included immutable Solana blockchain memo fields, BitTorrent DHT entries, and Base64‑encoded paths hidden in Google Calendar event titles, all feeding payloads from traditional VPS servers. Source: Security Affairs