CrowdStrike, Google and the Shadowserver Foundation have dismantled the Glassworm botnet after it weaponised trusted developer tools, npm and Python packages, and GitHub repositories in a sophisticated open source supply chain campaign targeting software developers and CI/CD infrastructure.
A coordinated operation by CrowdStrike, Google and the Shadowserver Foundation has dismantled the Glassworm botnet, a sophisticated cyber campaign that targeted open source developers, poisoned more than 300 GitHub repositories and exploited trusted software development ecosystems to enable potential large-scale supply chain compromise.
The takedown, conducted on 26 May, simultaneously disrupted all four of Glassworm’s command-and-control (C2) channels, severing operators from their bot infrastructure and preventing further malware delivery.
The campaign ran for nearly 18 months and marked a significant shift in cyber threat activity, with attackers increasingly targeting developers themselves rather than only software products. CrowdStrike said compromised developer workstations could have enabled downstream compromise across thousands of organisations.
Glassworm targeted source code repositories, CI/CD pipelines, cloud platforms and package ecosystems across Windows, Linux and macOS environments. Attackers distributed trojanised VSCode extensions disguised as legitimate utilities such as code formatters and time trackers, while also abusing malicious npm and Python packages through post-install hooks and setup scripts.
Using stolen developer credentials, operators injected malicious code into at least 300 GitHub repositories.
Adam Meyers, Head Of Counter Adversary Operations at CrowdStrike, said: “The most effective operations are layered: CrowdStrike struck all four of Glassworm’s command-and-control channels simultaneously – blockchain, peer-to-peer, and legitimate web services – taking down the connective tissue of the operation to create cascading operational pain.”
CrowdStrike said the operation demonstrated how coordinated disruption can counter increasingly resilient open source supply chain threats.
