Cybersecurity News Kinetic Potential

GlassWorm Botnet Disrupted

Wed, 05/27/2026 - 09:23 / 0 Comments

The GlassWorm botnet that has been targeting the open source software ecosystem for over six months has been disrupted, cybersecurity firm CrowdStrike reports.

Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm’s four command-and-control (C&C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads.

The malware has been using the Solana blockchain for C&C infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial VPS providers serving as backup C&Cs.

GlassWorm’s operators have been encoding C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted.

The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&C paths in event titles, and the traditional C&C servers were used to host payloads.

“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C&C servers behind multiple layers of indirection,” CrowdStrike notes.

By taking down all four channels at the same time, the cybersecurity firms severed the operators’ access to the infected machines and their ability to deliver new instructions.

First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.

The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.

In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.

“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.

GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.

The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.

According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.

“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
12 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts