Full Report
Developer-targeted, supply-chain attacks all the rage these days
Analysis Summary
# Incident Report: Glassworm Botnet Takedown
## Executive Summary
CrowdStrike, in collaboration with Google and the Shadowserver Foundation, executed a coordinated takedown of the "Glassworm" botnet, a sophisticated developer-targeted supply chain worm. Operating since early 2025, the malware used invisible Unicode injection and multi-layered C2 infrastructure (including blockchain and Google Calendar) to infect developer environments. The successful operation simultaneously neutralized four C2 channels, severing the attackers' control over infected hosts and shifting telemetry to a benign sinkhole.
## Incident Details
- **Discovery Date:** October 2025 (Initial discovery by Koi); May 2026 (Takedown)
- **Incident Date:** Early 2025 – May 2026
- **Affected Organization:** Global developers (Multiple platforms)
- **Sector:** Software Development / Technology
- **Geography:** Global (Infections across Windows, macOS, and Linux)
## Timeline of Events
### Initial Access
- **Date/Time:** Early 2025
- **Vector:** Supply Chain Poisoning
- **Details:** The worm targeted the OpenVSX marketplace for VS Code extensions, subsequently spreading to npm and Python packages.
### Lateral Movement
- **Mechanism:** Self-propagation via stolen credentials.
- **Details:** After compromising developer machines, the worm harvested GitHub credentials to poison over 300 additional repositories, automating its own spread through the software supply chain.
### Data Exfiltration/Impact
- **Impact:** Compromise of development environments across Windows, macOS, and Linux.
- **Data Stolen:** Credential harvesting (SSH keys, tokens, repository access), sensitive project data, and the conversion of infected machines into criminal proxy nodes.
### Detection & Response
- **Detection:** Initially spotted by security firm Koi in October 2025; later tracked by CrowdStrike Counter Adversary Operations.
- **Response:** Simultaneous takedown of four C2 channels at 1400 UTC on Tuesday (dated May 2026). Infected machines were redirected to a benign sinkhole.
## Attack Methodology
- **Initial Access:** Poisoned software packages (VS Code extensions, npm, PyPI).
- **Persistence:** Installation of "GlasswormRAT," a custom Node.js remote access tool.
- **Defense Evasion:** Use of invisible Unicode-based code injection to hide malicious logic from human reviewers.
- **Credential Access:** Automated harvesting of developer credentials and GitHub tokens.
- **Lateral Movement:** Self-propagation by modifying code in repositories the infected user has write-access to.
- **C2 Infrastructure:**
- **Solana Blockchain:** C2 addresses encoded in "memo" fields.
- **Google Calendar:** Dead-drop locations using Base64-encoded event titles.
- **BitTorrent DHT:** Decentralized configuration storage.
- **Traditional VPS:** Used for final stage payload delivery.
- **Impact:** Creation of a global proxy network and widespread supply chain contamination.
## Impact Assessment
- **Financial:** Massive costs associated with repository cleanup and potential downstream compromises of software users.
- **Data Breach:** High volume of developer credentials and source code access.
- **Operational:** Disruption of CI/CD pipelines and developer workflows.
- **Reputational:** Significant trust erosion in open-source marketplaces (OpenVSX, npm).
## Indicators of Compromise
- **Network Indicators:**
- `164.92.88[.]210` (Current benign sinkhole IP—existence of traffic here indicates past/present infection).
- **Behavioral Indicators:**
- Unexpected outbound connections to Solana RPC nodes.
- Google Calendar API calls to suspicious/unauthorized accounts.
- BitTorrent DHT traffic originating from development servers/workstations.
- Presence of invisible Unicode characters in source code files.
## Response Actions
- **Containment:** Coordinated disruption of all four C2 channels simultaneously to prevent "reconstitution" of the botnet.
- **Eradication:** Neutralization of the GlasswormRAT ability to receive new payloads.
- **Recovery:** Redirection of botnet traffic to a CrowdStrike-controlled sinkhole for organization notification.
## Lessons Learned
- **Target Shift:** Attackers are moving "left" in the lifecycle, targeting the developers themselves rather than the end-user products.
- **C2 Resilience:** The use of decentralized/blockchain infrastructure requires high-level coordination between private industry and shadowserver foundations for effective takedowns.
- **Invisible Code:** Standard code review processes are insufficient against Unicode-based obfuscation techniques.
## Recommendations
- **Source Code Integrity:** Implement automated scanners capable of detecting invisible Unicode characters and "homoglyph" attacks in code repositories.
- **Credential Hygiene:** Enforce MFA for all repository commits and rotate SSH/API tokens frequently.
- **Network Monitoring:** Monitor developer workstations for unauthorized peer-to-peer (DHT) traffic or unusual API calls to cloud services like Google Calendar.
- **Supply Chain Verification:** Utilize Software Bill of Materials (SBOM) and Pin/Verify all third-party dependencies.