290/69 Thursday, May 28, 2026
On May 26, 2026, CrowdStrike Counter Adversary Operations, in collaboration with Google and the Shadowserver Foundation, reportedly disrupted all four Command-and-Control (C2) channels used by the Glassworm Botnet at the same time. The operation aimed to stop communication between the malware and the attackers’ infrastructure. Glassworm is a campaign that has targeted software developers since early 2025 through maliciously modified tools and packages. Developers are attractive targets because they often have access to source code, cloud credentials, CI/CD systems, and package registries. If compromised, these assets could have a wider impact on downstream software and organizations.
According to the report, the attackers used multiple methods to distribute the malware. These included fake OpenVSX extensions impersonating tools such as WakaTime and code formatters, targeting VS Code as well as other IDEs such as Cursor, Windsurf, and VSCodium. The attackers also used malicious npm and Python packages capable of executing harmful code during dependency installation. In addition, they embedded malicious code in more than 300 GitHub repositories by abusing developer credentials that had previously been stolen. Glassworm’s C2 infrastructure was designed to be resilient against takedown efforts, using Solana Blockchain, BitTorrent Distributed Hash Table, Google Calendar, and VPS servers to conceal the location and routing path to the actual control servers.
The main malware used in this campaign is known as GlasswormRAT, a Node.js-based Remote Access Tool. It is capable of stealing npm, GitHub, and Git credentials, stealing funds from cryptocurrency wallet extensions, installing SOCKS Proxy and Hidden VNC for persistent access to victims’ machines, and hiding malicious code using Unicode Variation Selectors to make it invisible in common code editors. CrowdStrike also redirected infected machines to a safe IP address under the company’s control, namely 164.92.88[.]210. If an organization detects connections to this IP address in its network logs, it should immediately investigate and perform remediation. Organizations should also use the YARA rules and Indicators of Compromise published by researchers to confirm infections and reduce the risk of further supply chain attacks.