CrowdStrike takes down Glassworm botnet that spent two years poisoning developer code

CrowdStrike, working alongside Google and nonprofit internet monitor Shadowserver, has dismantled a botnet called Glassworm, which spent roughly two years targeting open source software developers to push malware and harvest stolen credentials across the supply chain.

The operation cut off four command-and-control channels the hackers relied on to communicate with infected machines and deliver additional malware. What makes the infrastructure notable is how unconventional it was. Rather than relying solely on traditional servers, the Glassworm operators routed their control channels through the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers. The mix made detection and disruption considerably harder.

By the time the operation wrapped up, the hackers had poisoned more than 300 GitHub repositories. The word “poisoned” is CrowdStrike’s own, and it fits. Because developers pull code from repositories they trust, a compromised package can travel silently into products used by thousands of organizations downstream. The victim never touches the hackers directly.

The Glassworm group used several methods to reach developers. These included publishing malicious extensions on developer marketplaces, paying for sponsored search results that directed victims toward infected downloads, and using credentials stolen in earlier breaches to hijack developer accounts and plant malware directly inside their existing projects. The combination gave the group multiple entry points into the same ecosystem.

“Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike noted in its report. The logic is simple: one compromised developer workstation can affect every project that person touches, and every organization using those projects downstream.

The takedown comes against a backdrop of intensifying supply chain attacks. Just last week, a separate campaign called Mini Shai-Hulud compromised several open source projects through malicious updates, with at least two OpenAI developers among those affected. In March, a suspected North Korean hacker hijacked Axios, the widely used JavaScript library that millions of developers depend on daily.

CrowdStrike has not detailed the specific legal or technical authority under which the Glassworm takedown was conducted, and the company declined to comment further beyond its published report. Even so, the operation offers a rare public look at how defenders are starting to respond to supply chain threats at the infrastructure level, rather than waiting for individual incidents to surface.