Full Report
The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network. [...]
Analysis Summary
# Incident Report: Takedown of Glassworm Botnet Infrastructure
## Executive Summary
The Glassworm botnet, a sophisticated threat targeting developers and the software supply chain since late 2025, was disrupted through a coordinated international effort. The botnet utilized a resilient, multi-layered Command-and-Control (C2) architecture involving the Solana blockchain, BitTorrent DHT, and legitimate web services to resist takedowns. The operation successfully severed all four communication channels, effectively neutralizing the botnet's ability to issue commands or deliver payloads.
## Incident Details
- **Discovery Date:** October 2025 (Initial campaigns)
- **Incident Date:** Takedown occurred May 26, 2026
- **Affected Organization:** Global software developers (various companies)
- **Sector:** Technology / Software Development / Open Source Supply Chain
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025
- **Vector:** Malicious extensions and packages.
- **Details:** Attackers uploaded malicious extensions to OpenVSX and Microsoft VS Code registries, later expanding to GitHub and npm.
### Lateral Movement
- **Details:** The malware functioned as a self-spreading botnet, targeting developers to gain access to broader software supply chains and developer environments.
### Data Exfiltration/Impact
- **Details:** Primarily focused on the theft of cryptocurrency wallets and developer credentials (API keys, SSH keys, etc.) to facilitate further supply chain compromises.
### Detection & Response
- **How it was discovered:** Ongoing monitoring by cybersecurity firms following a March 2026 surge where 400+ artifacts were compromised.
- **Response actions taken:** Coordinated disruption on May 26, 2026, by CrowdStrike, Google, and The Shadowserver Foundation, targeting all four C2 layers simultaneously.
## Attack Methodology
- **Initial Access:** Typosquatting and "sleeper" extensions on OpenVSX, VS Code marketplace, npm, and GitHub.
- **Persistence:** Implementation of "sleeper" code that remains dormant until a legitimate-looking update is pushed.
- **Defense Evasion:** Use of multiple indirection layers; C2 addresses hidden in blockchain memo fields and encrypted via BitTorrent DHT.
- **Credential Access:** Automated harvesting of developer credentials and crypto-wallets from local environments.
- **Discovery:** Constant scanning of developer registries for high-impact repositories to impersonate or infect.
- **Impact:** Compromise of 400+ repositories/packages; potential for massive downstream supply chain attacks.
## Impact Assessment
- **Financial:** Significant loss of cryptocurrency assets from compromised developer wallets.
- **Data Breach:** Exposure of highly sensitive developer credentials and "secrets" (tokens/keys).
- **Operational:** Disruption of CI/CD pipelines and the need for massive cleanup of public code registries.
- **Reputational:** Eroded trust in open-source registries (OpenVSX, npm).
## Indicators of Compromise (IoCs)
- **Network Indicators:**
- `164.92.88[.]210` (Current Sinkhole IP managed by CrowdStrike)
- **Behavioral Indicators:**
- High DNS traffic to Solana node providers or BitTorrent DHT queries from developer workstations.
- Base64-encoded strings in Google Calendar event titles.
- VS Code/OpenVSX extensions initiating unauthorized outbound connections.
## Response Actions
- **Containment:** Sinkholing of C2 traffic to the IP `164.92.88[.]210`.
- **Eradication:** Simultaneous shutdown of C2 resolution on Solana transactions, DHT keys, and Google Calendar dead-drops.
- **Recovery:** Development and release of YARA rules for organizations to identify and purge infected developer machines.
## Lessons Learned
- **Key Takeaways:** Conventional C2 takedowns are ineffective against decentralized infrastructures (Blockchain/P2P). Success requires multi-vendor cooperation.
- **Registry Security:** Developer registries require stricter vetting and monitoring of "sleeper" extensions that change behavior after an update.
## Recommendations
- **Developer Hygiene:** Implement secret-scanning tools (e.g., truffleHog, GitHub Secret Scanning) to prevent credential theft.
- **Network Monitoring:** Monitor dev environments for peer-to-peer (DHT) traffic or unusual calls to blockchain APIs.
- **Extension Vetting:** Enforce a policy of using only verified extensions and perform periodic audits of installed VS Code/IDE plugins.