CrowdStrike, Google and the Shadowserver Foundation disrupted the Glassworm botnet after attackers used compromised open-source packages, repositories and developer tools to spread malware and steal credentials.
CrowdStrike, working alongside Google and the Shadowserver Foundation, has disrupted the Glassworm botnet that targeted the open-source software supply chain through compromised developer tools, repositories, packages and extensions.
The coordinated operation shut down infrastructure used by the Glassworm cybercriminal group to distribute malware and steal credentials from software developers and organisations relying on open-source ecosystems.
According to CrowdStrike, Glassworm had targeted the broader open-source ecosystem for nearly two years using malicious software distribution campaigns. The attackers reportedly poisoned more than 300 GitHub repositories with malicious code while also abusing compromised NPM and Python packages to spread malware.
The campaign additionally involved trojanised VS Code extensions published on the Open VSX marketplace, exposing developers to credential theft and system compromise.
The attackers used malvertising campaigns, sponsored search result manipulation and fake software downloads to trick victims into installing infected packages and tools.
CrowdStrike said the disruption operation took down four command-and-control (C2) channels used by the group, significantly reducing attacker access to infected systems and preventing further malware distribution.
CrowdStrike attributed the Glassworm operation to a Russia-based cybercriminal group.
The takedown reflects the growing cybersecurity threat facing the open-source software supply chain, as threat actors increasingly target developer infrastructure, repositories and package ecosystems to compromise downstream organisations.
