CrowdStrike and Google dismantle Glassworm botnet that targeted developers and drained crypto wallets

A coordinated operation by CrowdStrike, Google, and the Shadowserver Foundation has taken down the Glassworm botnet, a sophisticated malware network that embedded itself in open-source software projects to hack developers and steal cryptocurrency. The takedown, executed on May 26, disrupted all four of the botnet’s command-and-control channels simultaneously.

How Glassworm operated

The botnet maintained four separate command-and-control channels using the Solana blockchain, Google Calendar, BitTorrent DHT, and commercial VPS servers. If one channel got shut down, the malware could fall back to the others.

The malware, dubbed GlasswormRAT, first surfaced in October 2025 when security firm Koi Security discovered it lurking on the OpenVSX marketplace. By early 2026, GlasswormRAT had infiltrated the official VS Code extension store, npm, PyPI, and over 300 GitHub repositories.

Developers would install what appeared to be legitimate packages or editor extensions. The malicious code then went to work stealing credentials from development platforms. GlasswormRAT also targeted dozens of cryptocurrency wallet browser extensions, quietly siphoning funds from the wallets of developers who happened to hold digital assets.