CrowdStrike, working alongside Google and nonprofit internet monitor Shadowserver, announced on May 27 that it has taken down the Glassworm botnet — a criminal infrastructure used for roughly two years to compromise open source software developers and inject malware into the projects they maintain. The operation successfully severed four command-and-control channels that Glassworm operators relied on to deliver payloads and maintain access to infected machines. According to CrowdStrike’s report, the C2 infrastructure was notably eclectic, routing through the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and conventional virtual private servers — a design intended to blend malicious traffic into legitimate network activity. By the time of the takedown, the hackers had managed to poison over 300 GitHub repositories. The group employed three primary infection vectors: publishing trojanized extensions on developer tool marketplaces; malvertising through paid search results that served malware disguised as legitimate dev tools; and credential stuffing using previously stolen passwords to hijack developer accounts and embed malicious code directly into their projects.
CrowdStrike framed the campaign as a deliberate pivot in attacker strategy toward the human layer of the software supply chain. The legal or technical authority under which the takedown was executed was not disclosed; a CrowdStrike spokesperson did not immediately respond to requests for comment. The Glassworm dismantlement follows a wave of similar incidents: a separate campaign called “Mini Shai-Hulud” compromised dozens of popular open source packages last week and was used to breach an OpenAI developer’s workstation, while a suspected North Korean actor hijacked the widely used Axios JavaScript library in March to push malware to its millions of downstream users.