How the Glassworm Takedown Secures Digital Supply Chains

CrowdStrike has taken down a botnet that targets developers with access to source code repositories, cloud infrastructure and package registries. The Glassworm operation uses four separate command and control channels to maintain activity even when parts of the network are disabled.

The cybersecurity firm works with Google and the Shadowserver Foundation to dismantle the infrastructure. CrowdStrike's Counter Adversary Operations team leads the effort against malware that can persist across multiple communication methods.

Glassworm operators begin targeting developers in early 2025. A compromised developer account leads to supply chain attacks affecting thousands of downstream users and enterprises.

The attackers deploy multiple infection methods across different platforms. All major operating systems are affected by the campaign.

Targeting developer tools

Trojanised VSCode extensions appear on the OpenVSX marketplace disguised as time trackers and code formatters. The malicious extensions infect users of Cursor, Positron, Windsurf, VSCodium and other integrated development environments.

Compromised npm and Python packages introduce malicious code through postinstall hooks and setup scripts. According to CrowdStrike, the code executes during routine dependency installation.

Poisoned GitHub repositories form another attack vector. Credentials harvested from earlier Glassworm infections are used to force-push malicious code to over 300 repositories.

The operation also deploys GlasswormRAT, a cross-platform Node.js remote access tool. CrowdStrike has reason to believe the criminals behind the operation are likely based in Russia.

Decentralised infrastructure design

The botnet is engineered to resist conventional takedown methods. Infected devices continue receiving instructions even if one communication system fails.

Command and control server addresses are encoded in memo fields of Solana blockchain transactions. CrowdStrike describes this as "an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means".

GlasswormRAT queries the BitTorrent Distributed Hash Table for hardcoded public keys. The distributed file sharing system allows threat actors to share instructions across the internet.

Google Calendar events and commercial virtual servers distribute instructions and payloads to infected machines. CrowdStrike calls this "a dynamic front protecting the actual C2 servers behind multiple layers of indirection".

Coordinated disruption operation

According to CrowdStrike, disrupting the botnet "requires precision and timing". Taking down one channel leaves others operational and allows operators to reconstitute quickly.

"All four channels have to be disrupted simultaneously in a coordinated effort," CrowdStrike says. The operation targets blockchain networks, distributed hash tables, calendar services and virtual servers at the same time.

Alessandro Guggino, Senior Security Researcher at CrowdStrike, adds: "CrowdStrike plays offence and brings the fight to the adversary. The Counter Adversary Operations team disrupts a global botnet built for resilience, engineered with four distinct command and control (C2) channels to be nearly impossible to take down.

"The C2 architecture relies on two decentralised networks that are taken over and eclipsed - the Solana blockchain and the BitTorrent distributed hash table (DHT) – as well as Google Calendar events and commercial virtual servers, taken down by our operation partners.

"As a result, infected machines can no longer receive new instructions or payloads."

Implications for enterprises

The incident shows that detection-focused security efforts struggle against adversaries using decentralised infrastructure. Traditional approaches do not address layered command systems effectively.

The takedown demonstrates how offensive cybersecurity measures are becoming part of industry strategy. Defenders are working together to dismantle infrastructure that powers organised cybercrime.

The operation means that modern cybersecurity requires proactive threat hunting and collaborative intelligence sharing. Tactical disruption is becoming more common as firms move beyond passive defence.

Software supply chain attacks dominate cybersecurity discussions throughout the year. The Glassworm takedown provides a template for future operations against decentralised botnet infrastructure.