CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces of open-source software with malware since early 2025, the company said Tuesday.
The coordinated effort involved the simultaneous takedown of four attacker-controlled servers that were designed to obscure the botnet’s operations and remain resilient against disruptions.
CrowdStrike and partners took down infrastructure, severed access to the botnet’s most critical services, impeded operation momentum and slowed the attackers’ ability to scale, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop.
“The broader goal is sustained pressure that forces the adversary to spend time, resources, and operational energy reconstituting infrastructure instead of targeting victims,” Meyers added. “By exposing tradecraft and sharing intelligence, defenders can harden developer environments, CI/CD pipelines, and software supply chains against similar activity. That raises the operating cost for the adversary and gives defenders an advantage.”
Glassworm has targeted software developers in order to access source code repositories, cloud platforms, integration and delivery processes, and open-source package registries to push malware into the supply chain and trigger compromises downstream.
The threat group behind the botnet, which is likely based in Russia, according to CrowdStrike, fed malware into VSCode extensions, npm and Python packages and more than 300 GitHub repositories, researchers said.
Glassworm affected Windows, macOS and Linux systems with data and credential theft, and a remote-access tool called GlasswormRAT.
“What stood out about Glassworm was the operational sophistication around propagation and automation,” Meyers said. “This wasn’t just a smash-and-grab compromise of a package repository. The operation was designed to move through trusted developer workflows in a way that could expand reach very quickly if left unchecked.”
The botnet relied on four layered channels that CrowdStrike disrupted, including the Solana blockchain, BitTorrent’s peer-to-peer network, Google Calendar and virtual private servers hosted by commercial providers.
“As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” John Hultquist, chief analyst at Google Threat Intelligence Group, said in a post on X.
Piotr Kijewski, CEO of the Shadowserver, said the non-profit organization assisted with some analysis and data sharing but noted the disruption was mostly CrowdStrike work.
The countermeasures took down “the connective tissue of the operation to create cascading operational pain,” Meyers said. “This forces the adversary to rebuild, while exposing tradecraft.”
CrowdStrike said the takedown demonstrates how the security industry can effectively thwart supply-chain threats by proactively disrupting the precise infrastructure attackers use without waiting for lengthy judicial processes.
“When threat actors operate from jurisdictions where law enforcement cooperation is limited or nonexistent, disruption becomes one of the most effective tools available. If you can’t put handcuffs on the operator, you focus on dismantling the infrastructure, trust relationships, and operational dependencies,” Meyers added.
The security company shared indicators of compromise to help organizations hunt for potential infections in their environments and called for other vendors, law enforcement agencies, platform operators and the open-source ecosystem to muster equal determination in responding to threats in the software supply chain.
“The more visibility and alignment you create across the ecosystem, the harder it becomes for the actor to quietly stand the operation back up,” Meyers said. “You may not eliminate the threat actor entirely, but you can absolutely reduce effectiveness, limit reach, and raise the cost of doing business.”
The post CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain appeared first on CyberScoop.
–
Read More – CyberScoop
