Glassworm botnet dismantled in joint operation by CrowdStrike, Google and Shadowserver
CrowdStrike, Google and Shadowserver disrupted the Glassworm botnet that targeted open-source developers, cutting four command-and-control channels and halting malware pushes.
CrowdStrike, in partnership with Google and nonprofit monitor Shadowserver, announced a takedown of the Glassworm botnet that had been used to push malware and harvest credentials from open-source software developers. The operation severed four command-and-control channels and stopped active exploitation that researchers say polluted hundreds of developer repositories. The action was described by CrowdStrike as aimed at disrupting a two-year campaign targeting the open source software supply chain.
Takedown Disrupts Glassworm Infrastructure
CrowdStrike said the takedown removed the attackers’ access to infected machines by neutralizing four distinct command-and-control mechanisms. Those channels had allowed operators to push additional payloads and harvest data from compromised developer workstations. The coordinated effort combined private-sector remediation with large-scale network scanning to identify and cut the botnet’s control paths.
Google and Shadowserver validated routing and infrastructure indicators to ensure the disruption was effective across multiple platforms. CrowdStrike declined to immediately detail the legal authority used for the intervention, and spokespeople did not provide a public comment at the time of the announcement. The collaboration underscores an increasingly common model in which security firms and platform operators act together to interrupt active campaigns quickly.
Targeting Developers to Compromise the Supply Chain
Investigators emphasized that Glassworm specifically targeted developers rather than end customers, exploiting trust in widely used repositories and package managers. Compromising a single developer workstation can allow attackers to introduce malicious code that propagates downstream to thousands of organizations. CrowdStrike described developers as high-value targets whose compromised credentials and build artifacts create systemic risk for the broader software ecosystem.
Supply-chain attacks have risen in frequency and sophistication, researchers say, with multiple groups now focusing on poisoning open-source projects and developer accounts. Recent incidents in mid-May 2026 and earlier this year have demonstrated how quickly compromise at the source can spread into enterprise environments that consume community code.
Infection Vectors and Malvertising Tactics
Glassworm operators used a mix of techniques to gain footholds, including publishing malicious extensions on developer marketplaces and using malvertising to drive victims to trojanized downloads. The attackers also leveraged credentials stolen from prior breaches to hijack developer accounts and inject malicious commits directly into projects. By combining social engineering with technical access, the group increased the likelihood that tainted code would be accepted and distributed.
Malvertising was deployed to amplify reach by buying sponsored search results and other promotional placements that appeared legitimate to developers seeking tools or libraries. Marketplace listings that impersonated popular extensions provided an additional stealthy route for distribution, making the campaign harder to detect until downstream users began to observe anomalous behavior.
Command-and-Control Embedded in Decentralized and Common Services
The botnet’s command-and-control architecture included unconventional and resilient mechanisms, according to CrowdStrike. The operators relied in part on the Solana blockchain and the BitTorrent peer-to-peer network to store and relay instructions, and they also used Google Calendar entries and commercial virtual private servers for signaling and management. This hybrid approach blended decentralized protocols with everyday services to evade simple takedown efforts.
Embedding control data in blockchain transactions and P2P swarms complicates attribution and remediation because those platforms are designed for persistence and distributed availability. Using widely trusted services such as calendar APIs further blurred the line between legitimate traffic and C2 signaling, increasing the operational stealth of the campaign.
Scope of Repository Poisoning and Downstream Risk
CrowdStrike reported that the campaign poisoned more than 300 GitHub repositories, inserting malicious code or components that could be propagated into dependent projects. The contamination of widely consumed packages raises the prospect of cascading impact, with enterprise consumers at risk of receiving compromised updates that appear to originate from trusted maintainers. Security teams are now tasked with auditing dependencies, rebuilding supply chains, and rolling back affected components where possible.
Investigations into the full downstream reach of the compromises remain ongoing, and organizations that use community code are being urged to verify integrity through cryptographic checks and reproducible builds. The takedown halted further pushes from the Glassworm operators, but remediation and detection work at affected projects and enterprises may take weeks to complete.
Industry Response and Legal Uncertainties
The operation highlights both the benefits of cross-sector coordination and the legal ambiguities that surround private takedowns of distributed infrastructure. CrowdStrike’s partners helped disrupt active malicious operations, yet public details about the legal or technical authority used to seize or neutralize elements of the botnet remain limited. That opacity has prompted calls for clearer frameworks governing defensive interventions that cross service and jurisdictional boundaries.
Security practitioners say firms must balance rapid disruption of harmful infrastructure with transparency about methods and authority to maintain trust with platform operators and developers. Regulators and industry groups are increasingly expected to clarify rules of engagement for private-sector disruption as supply-chain attacks become a persistent national and economic security concern.
The Glassworm takedown is likely to sharpen attention on developer account security, dependency hygiene, and the need for coordinated incident response across companies and nonprofits. Organizations that rely on open-source components should treat developer endpoints as critical assets and accelerate threat-hunting, multi-factor authentication, and code integrity controls to reduce the chance a single compromise causes broad downstream damage.
