GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
Ravie LakshmananMay 27, 2026Malware / Threat Intelligence
CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions.
"Since at least early 2025, GlassWorm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries," CrowdStrike said.
The development comes as developers have increasingly become lucrative targets for pulling off software supply chain attacks, enabling attackers to leverage a single compromised workstation to impact thousands of downstream organizations and users at once.
GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium.
The campaign is also known to have introduced malicious code through compromised npm and Python packages. The end goal of the attacks is to deliver a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities.
Subsequent iterations of GlassWorm have been found to deploy a Websocket-based JavaScript RAT called GlassWormRAT to steal web browser data and run arbitrary code, including installing a Google Chrome extension that, in turn, collects sensitive data, including screenshots, keystrokes, and clipboard content, from the infected system.
"Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads," Endor Labs researcher Kiran Raj said.
"Infected hosts are converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes (via WebRTC or spawned Node.js processes). That gives attackers anonymized network access into corporate and personal networks and a platform to propagate further."
Cumulatively, the malicious activity is said to have poisoned more than 300 GitHub repositories using stolen developer credentials. What made the operation notable was its use of four distinct C2 channels for improved resilience -
Using the Solana blockchain as a dead drop resolver by storing C2 server addresses in the memo fields of blockchain transactions Querying the BitTorrent Distributed Hash Table (DHT) peer-to-peer network to retrieve configuration data Employing Google Calendar as a dead drop resolver to fetch the C2 server address from event titles Directly connecting to C2 infrastructure hosted on commercial VPS providers
"The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting the actual C2 servers behind multiple layers of indirection," CrowdStrike said.
As a result of the takedown, all four channels have been neutralized simultaneously in a coordinated effort so that infected machines can no longer receive new instructions or payloads.
Describing the GlassWorm operators as "well-resourced and persistent," the cybersecurity company attributed the activity to likely Russia-based cybercriminals given that the malware terminates execution on systems located in the Commonwealth of Independent States (CIS) countries and contains Russian-language comments.
"The software supply chain remains one of the most consequential attack surfaces in modern computing," CrowdStrike concluded. "Adversaries are turning an organization's dependencies on tools, updates, and libraries into weaponized delivery mechanisms and force multipliers."
"The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. GlassWorm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet Share Share Share
SHARE CrowdStrike, cybersecurity, GitHub, Google, Malware, NPM, Python, Supply Chain Attack, Threat Intelligence, VS Code
⚡ Top Stories This Week
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
The New Phishing Click: How OAuth Consent Bypasses MFA
Developer Workstations Are Now Part of the Software Supply Chain
⭐ Featured Resources
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Discover How to Navigate the Era of Constant Cyber Exposure
Cybersecurity Webinars
With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register
Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register
⚡ Latest News
Cybersecurity Resources
AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown.
Expert Insights Articles Videos
You Can't Patch Your Way Out of This One
May 25, 2026 Read ➝
How to Test Ransomware Recovery Without Reinfecting Your Environment
May 25, 2026 Read ➝
The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans
May 25, 2026 Read ➝
7 Signs Your Organization Is Vulnerable to Business Email Compromise
May 18, 2026 Read ➝
Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.