CrowdStrike Glassworm Takedown Exposes Developer Supply Chain Risk
CrowdStrike announced it has taken down the Glassworm botnet, a global threat campaign attacking software developers through open source tools.
The company simultaneously struck Glassworm’s four command-and-control (C2) channels alongside collaborators Google and the Shadowserver Foundation. CrowdStrike says infected machines can no longer receive new instructions or payloads.
The Glassworm botnet used poisoned open source packages, malicious code editor extensions and compromised GitHub repositories to gain entry to software development environments. It targeted developers due to the value of this access: “Developers represent uniquely high-value targets: compromising a single developer’s workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users,” CrowdStrike wrote in a report of the takedown.
CrowdStrike said the takedown required a coordinated disruption because Glassworm’s operators had designed the botnet to survive a traditional enforcement approach. Rather than relying on a single C2 channel, Glassworm used four separate mechanisms to locate and deliver instructions: Solana blockchain transactions, BitTorrent’s distributed hash table, Google Calendar event titles and direct connections to servers hosted on commercial VPS providers.
That layered design made the operation more difficult to disrupt. The blockchain, peer-to-peer and calendar-based channels acted as resolution layers, helping infected machines find the real command-and-control servers even if one path was blocked. CrowdStrike said it disrupted all four channels at the same time to prevent the operators from falling back to another route and rebuilding access to infected developer systems.
CrowdStrike stated that Glassworm’s specific targeting of developers marks a significant shift in the threat landscape and should be a wake-up call for all software builders and users. The company also argued that Glassworm shows how effective supply-chain defense will require earlier disruption, cross-sector coordination and direct action against the technical dependencies attackers rely on.
Glassworm’s operators appeared to be persistent and adaptable, with CrowdStrike describing a year-long campaign that showed some indicators consistent with Russian-speaking cybercriminal activity. According to the company, the operation evolved from JavaScript to Rust to Zig, expanded across VS Code, npm, PyPI and GitHub, and built redundant infrastructure designed to survive takedown attempts. With the botnet’s command channels disrupted, CrowdStrike is now urging organizations to check whether developer systems were already affected.
The company has provided a network indicator for organizations investigating possible infections. Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88[.]210. Organizations should review network logs and endpoint telemetry for connections to that address, treating any match as a sign of infection.
CrowdStrike noted that the Glassworm saga highlights the limits of after-the-fact detection in software supply-chain security. Malicious packages can spread through dependency updates quickly, often before defenders can respond. For that reason, the company said supply-chain defense must pair detection with coordinated efforts to dismantle attacker infrastructure before access can be rebuilt.
“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it,” the company wrote. “The security community — vendors, law enforcement agencies, platform operators, and the open-source ecosystem — must respond with equal determination.”
