{"id":256747,"date":"2026-05-27T08:11:00","date_gmt":"2026-05-27T12:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/27\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot\/"},"modified":"2026-05-27T08:30:11","modified_gmt":"2026-05-27T12:30:11","slug":"how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/27\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot\/","title":{"rendered":"How cybersecurity firms took down Glassworm botnet in one shot"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/192749\/cyber-crime\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html\">How cybersecurity firms took down Glassworm botnet in one shot<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/192749\/cyber-crime\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html\">https:\/\/securityaffairs.com\/192749\/cyber-crime\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-27 08:11:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>How cybersecurity firms took down Glassworm botnet in one shot<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> May 27, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2026\/05\/image-81.png?fit=2048%2C1196&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">Glassworm infected developers through poisoned tools and packages until a coordinated takedown killed all four of its C2 channels at once.<\/h2>\n<p class=\"wp-block-paragraph\">On May 26, 2026, at 14:00 UTC, CrowdStrike Counter Adversary Operations team, working with Google and the Shadowserver Foundation, killed all four command-and-control channels of the Glassworm botnet at the same time. The timing was the whole point.<\/p>\n<p class=\"wp-block-paragraph\">Glassworm has been targeting software developers since at least early 2025. That\u2019s a deliberate choice. Developers have access to source code, cloud credentials, CI\/CD pipelines, and package registries. Compromise one developer\u2019s machine and you potentially own everything downstream that developer has ever touched.<\/p>\n<p class=\"wp-block-paragraph\">The\u00a0GlassWorm\u00a0campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions.<\/p>\n<p class=\"wp-block-paragraph\">In its latest iteration, threat actors used a malicious OpenVSX extension impersonating WakaTime, bundling a Zig-compiled binary. Instead of acting as the payload, the binary serves as a stealthy dropper that infects multiple IDEs on a system, showing the group\u2019s continuous adapt<\/p>\n<p class=\"wp-block-paragraph\">The operators ran three parallel infection campaigns. Trojanized VS Code extensions published to the OpenVSX marketplace posed as legitimate tools like time trackers and code formatters, targeting not just VS Code but also Cursor, Windsurf, VSCodium, and others. Malicious npm and Python packages executed harmful code silently during routine dependency installation. And more than 300 GitHub repositories were poisoned using developer credentials stolen from earlier Glassworm infections, with malicious code force-pushed into default branches. Not bad for a group that apparently had nothing better to do for over a&#8230;<br \/>\n<br \/><a href=\"https:\/\/securityaffairs.com\/192749\/cyber-crime\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How cybersecurity firms took down Glassworm botnet in one shot https:\/\/securityaffairs.com\/192749\/cyber-crime\/how-cybersecurity-firms-took-down-glassworm-botnet-in-one-shot.html Publish Date: 2026-05-27 08:11:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":256748,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/05\/image-81.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-256747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256747"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=256747"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256747\/revisions"}],"predecessor-version":[{"id":256749,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256747\/revisions\/256749"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/256748"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=256747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=256747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=256747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}