Full Report
CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions. "Since at least early 2025, GlassWorm operators have systematically targeted software developers, a
Analysis Summary
# Incident Report: GlassWorm Supply Chain Disruption
## Executive Summary
CrowdStrike, in partnership with Google and the Shadowserver Foundation, has successfully dismantled the Command-and-Control (C2) infrastructure of "GlassWorm," a persistent malware campaign targeting software developers. Active since early 2025, the threat actor utilized trojanized VS Code extensions and malicious packages to compromise developer workstations, eventually poisoning over 300 GitHub repositories. The coordinated takedown neutralized four resilient C2 channels, effectively severing the attackers' ability to control infected hosts.
## Incident Details
- **Discovery Date:** Early 2025 (Initial emergence)
- **Incident Date:** Takedown announced May 27, 2026
- **Affected Organization:** Global software developers and downstream users
- **Sector:** Software Development / Technology
- **Geography:** Global (CIS countries excluded by malware logic)
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing early 2025
- **Vector:** Software Supply Chain / Trojanized Developer Tools
- **Details:** Malicious VS Code extensions published on Microsoft VS Code Marketplace and Open VSX; distribution of malicious npm and Python packages.
### Lateral Movement
- Stolen developer credentials (GitHub, NPM, OpenVSX tokens) were used to pivot from workstations to corporate repositories and package registries. Infected hosts were converted into SOCKS proxies and Hidden VNC (HVNC) servers to provide the attackers with anonymized network access.
### Data Exfiltration/Impact
- Unauthorized access to source code and CI/CD pipelines.
- Exfiltration of cryptocurrency wallets, web browser data, keystrokes, screenshots, and clipboard content.
- Poisoning of over 300 GitHub repositories using compromised accounts.
### Detection & Response
- **Detection:** Discovered via threat research by CrowdStrike and Endor Labs tracking persistence in VS Code forks.
- **Response Actions:** Simultaneous disruption of the Solana blockchain memo field resolution, BitTorrent DHT queries, Google Calendar dead drops, and commercial VPS C2 infrastructure.
## Attack Methodology
- **Initial Access:** Trojanized VS Code extensions and malicious npm/Python packages.
- **Persistence:** Self-propagating VS Code extensions; installation of malicious Chrome extensions.
- **Privilege Escalation:** Harvesting high-privilege tokens (GitHub, NPM) to bypass standard user limitations.
- **Defense Evasion:** Termination if CIS country location is detected; encrypted C2 resolution via blockchain and P2P layers.
- **Credential Access:** Harvesting tokens from local files and web browsers; cryptocurrency wallet theft.
- **Discovery:** System profiling and searching host for developer-specific credentials/tokens.
- **Lateral Movement:** HVNC and SOCKS proxies; WebRTC-based remote execution.
- **Collection:** Automated collection of keystrokes, screenshots, and clipboard data.
- **Exfiltration:** Data sent via encrypted Websocket-based RAT (GlassWormRAT).
- **Impact:** Poisoning of the upstream supply chain to impact downstream organizations.
## Impact Assessment
- **Financial:** Significant potential loss due to cryptocurrency wallet theft and remediation costs.
- **Data Breach:** High volume of sensitive source code, credentials, and PII (keystrokes/screenshots).
- **Operational:** Disruption of CI/CD pipelines and the need for massive credential rotations.
- **Reputational:** Severe impact on the trust of public package registries and marketplaces.
## Indicators of Compromise
- **Network indicators:**
- C2 resolved via Solana blockchain memo fields.
- C2 resolved via Google Calendar event titles.
- Traffic to BitTorrent DHT for configuration retrieval.
- **File indicators:** GlassWormRAT (JavaScript-based Websocket RAT).
- **Behavioral indicators:** VS Code processes spawning unintended Node.js child processes; unauthorized outbound SOCKS proxy traffic.
## Response Actions
- **Containment:** Coordinated disruption of all four C2 resolution channels.
- **Eradication:** Removal of malicious extensions from Microsoft VS Code Marketplace and Open VSX.
- **Recovery:** Notification to GitHub and package registries to secure the 300+ poisoned repositories.
## Lessons Learned
- **Key Takeaways:** Developers are high-value targets because their workstations serve as gateways to entire enterprise supply chains.
- **Improvement Areas:** Marketplace and registry providers need more rigorous vetting for automated uploads to prevent "living-off-the-extension" attacks.
## Recommendations
- Implement mandatory MFA for all package registry and source code repository accounts.
- Audit installed VS Code extensions and restrict installations to verified publishers.
- Monitor developer workstations for unusual outbound connections (P2P, HVNC) and unauthorized Chrome extension activity.