Glassworm botnet disrupted after resilient C2 infrastructure takedown

The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network.

mercoledì 27 maggio 2026 New tab

In a coordinated operation conducted yesterday, CrowdStrike, Google, and The Shadowserver Foundation cut off the botnet operators’ access to four distinct command-and-control (C2) channels designed to resist conventional disruption efforts.

Glassworm campaigns have been ongoing since October 2025 and initially targeted developers with malicious OpenVSX and Microsoft VS Code extensions that stole cryptocurrency wallets and developer credentials.

Later attack waves extended to GitHub repositories and npm packages, with one campaign in March impacting more than 400 software artifacts.

In a more recent attack, Glassworm operators planted dozens of dormant extensions on OpenVSX that would activate the malicious component after an update.

Later attack waves extended to GitHub repositories and npm packages, with one campaign in March impacting more than 400 software artifacts.

In a more recent attack, Glassworm operators planted dozens of dormant extensions on OpenVSX that would activate the malicious component after an update.

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Other newsrooms on this story

Related reading

CrowdStrike and Google dismantle Glassworm botnet that targeted developers and…