Full Report
CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces of open-source software with malware since early 2025, the company said Tuesday. The coordinated effort involved the simultaneous takedown of four attacker-controlled servers that were designed to […] The post CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain appeared first on CyberScoop.
Analysis Summary
# Incident Report: Case Glassworm Botnet Disruption
## Executive Summary
CrowdStrike, in coordination with Google and Shadowserver, dismantled the "Glassworm" botnet, a sophisticated operation that infected over 300 open-source software repositories and hundreds of packages. Attributed to a Russian-based threat group, the botnet targeted developers to inject malware into supply chains via npm, Python, and VSCode extensions. The disruption successfully severed the botnet’s command-and-control (C2) infrastructure across multiple unconventional channels, significantly raising the adversary's operational costs.
## Incident Details
- **Discovery Date:** Early 2025 (Initial tracking); Takedown announced May 2026.
- **Incident Date:** Active from early 2025 to May 2026.
- **Affected Organization:** Open-source ecosystem (specifically users of npm, PyPI, and GitHub).
- **Sector:** Technology / Software Development.
- **Geography:** Global footprint; Threat actors likely based in Russia.
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing early 2025.
- **Vector:** Supply Chain Compromise / Typosquatting / Malicious Extensions.
- **Details:** Attackers uploaded poisoned VSCode extensions, npm packages, and Python packages. They also compromised or created 300+ GitHub repositories to host malicious code.
### Lateral Movement
- **Mechanism:** The botnet moved through "trusted developer workflows," leveraging CI/CD pipelines and cloud platforms to spread from individual developer environments to broader corporate infrastructures.
### Data Exfiltration/Impact
- **Impact:** Theft of source code, credentials, and environmental secrets. Deployment of **GlasswormRAT** (Remote Access Tool) on Windows, macOS, and Linux systems.
### Detection & Response
- **Detection:** Identified through CrowdStrike counter-adversary operations tracking automated propagation patterns.
- **Response Actions:** Simultaneous takedown of four critical C2 servers. Disruption of multi-layered communication channels (Blockchain, P2P, and Google Calendar).
## Attack Methodology
- **Initial Access:** Infection of open-source package registries and development tools.
- **Persistence:** Use of GlasswormRAT for sustained access to infected developer machines.
- **Defense Evasion:** Use of legitimate services (Google Calendar, Solana blockchain) to hide C2 traffic.
- **Discovery:** Automated scanning of developer environments for source code and cloud credentials.
- **Lateral Movement:** Compromise of CI/CD pipelines to trigger downstream infections.
- **Exfiltration:** Standard data theft of sensitive development assets.
- **Impact:** Significant corruption of the open-source software supply chain.
## Impact Assessment
- **Financial:** High operational cost for affected organizations to audit and remediate poisoned dependencies.
- **Data Breach:** Hundreds of repositories compromised; undisclosed volume of developer credentials stolen.
- **Operational:** Disruption of development cycles and software release pipelines.
- **Reputational:** Eroded trust in common open-source registries (npm, PyPI).
## Indicators of Compromise
- **Network:** C2 traffic masquerading as API calls to `calendar[.]google[.]com` and Solana blockchain nodes.
- **File:** GlasswormRAT binaries (Cross-platform: Windows, macOS, Linux).
- **Behavioral:** High-volume automated commits to GitHub repositories from unauthorized or newly created accounts.
## Response Actions
- **Containment:** Coordinated takedown of four primary virtual private servers (VPS).
- **Eradication:** Removal of malicious packages from npm and PyPI; takedown of 300+ GitHub repositories.
- **Recovery:** Public release of IoCs to allow organizations to purge GlasswormRAT from internal networks.
## Lessons Learned
- **Sophisticated Obfuscation:** Threat actors are increasingly moving away from dedicated C2 IPs toward "Living off the Land" web services (like Google Calendar) and decentralized tech (Blockchain/P2P) to bypass legacy firewalls.
- **Workflow Vulnerability:** The botnet proved that targeting the developer’s *tools* (VSCode extensions) is as effective as targeting the *code* itself.
## Recommendations
- **Pipeline Integrity:** Implement mandatory signing for all internal and external software dependencies.
- **Extension Sandboxing:** Restrict the installation of third-party IDE extensions to an approved list.
- **Network Monitoring:** Monitor developer workstations for unusual outbound traffic to blockchain gateways or non-standard P2P protocols.
- **Supply Chain Auditing:** Use Software Bill of Materials (SBOM) tools to verify the provenance of all open-source packages during the build phase.