CrowdStrike said it worked with Google and the Shadowserver Foundation to disrupt all command and control channels tied to GlassWorm, a software supply chain malware campaign that has targeted developers since at least early 2025 and poisoned more than 300 GitHub repositories.
KEY FACTS
- Target Developers with access to source code, cloud platforms, CI/CD pipelines and package registries
- Spread Trojanized VS Code extensions, compromised npm and Python packages
- Impact Credential theft, wallet exfiltration, browser data theft and remote code execution
- Resilience Four C2 channels used, including Solana, BitTorrent DHT, Google Calendar and VPS servers
In a technical analysis, the company said GlassWorm operators systematically targeted software developers because a single compromised workstation can expose code repositories and downstream systems. The malware campaign has also used trojanized extensions on the Microsoft VS Code Marketplace and Open VSX, reaching users of VS Code forks such as Cursor, Positron, Windsurf and VSCodium.
The report says later versions added a JavaScript RAT called GlassWormRAT that steals browser data, runs arbitrary code and can install a Chrome extension to collect screenshots, keystrokes and clipboard content. It also searches for GitHub, npm and OpenVSX tokens and crypto wallets on infected systems.
CrowdStrike said the operators used four separate paths to find their servers. Those included Solana blockchain transaction memo fields, the BitTorrent Distributed Hash Table, Google Calendar event titles and direct links to commercial VPS hosting. The company said the mix was designed to resist takedowns.
The disclosure said the latest action neutralized all four channels at the same time, which means infected machines can no longer receive new instructions or payloads. CrowdStrike described the operators as well-resourced and persistent and said the malware stops running on systems in CIS countries and contains Russian-language comments.
WHY IT MATTERS
The takedown removes a set of delivery and control paths that were built to survive disruption, but it does not erase the risk created by compromised developer accounts and poisoned packages. The case shows how software supply chains can turn routine tools and registries into entry points for broader intrusions.