CrowdStrike has announced the takedown of the command-and-control (C&C) infrastructure behind the Glassworm botnet that targeted software developers via the open-source software supply chain. The coordinated operation disrupted all four of Glassworm’s communication channels at the same time, cutting operators off from infected systems and stopping them from delivering new malware.
Active since at least early 2025, the Glassworm campaign targeted developers with access to source code repositories, cloud environments, CI/CD pipelines, and software package registries. Attackers spread malware through trojanized VSCode extensions uploaded to the OpenVSX marketplace. The fake extensions were disguised as common developer tools such as code formatters and time trackers and affected not only VSCode, but also Cursor, Positron, Windsurf, VSCodium, and other editors.
The operation leveraged compromised npm and Python packages that executed malicious code during installation through postinstall hooks and setup scripts. In addition, more than 300 GitHub repositories were poisoned using stolen developer credentials from previous infections, allowing attackers to push malicious code directly into default branches.
Glassworm targeted Windows, macOS, and Linux systems. It included tools for information theft, credential harvesting, and remote access via a Node.js-based malware known as GlasswormRAT.
Researchers said the botnet was designed to survive traditional takedown efforts by using four separate communication methods, including the Solana blockchain, the BitTorrent Distributed Hash Table, public calendar services, and direct server connections.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike explained.