CrowdStrike disrupts Glassworm botnet targeting developers

Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub

A dangerous malware campaign known as Glassworm has been spreading through the tools that software developers trust most every day. By abusing popular platforms like npm, PyPI, OpenVSX, and GitHub, the attackers have turned routine development workflows into entry points for data theft, credential harvesting, and persistent system access. The campaign first surfaced in October 2025, when malicious Visual Studio Code and OpenVSX extensions appear…

CrowdStrike, Google slay ‘unkillable’ Glassworm botnet targeting devs

Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports suggested the self-replicating malware’s infrastructure was unkillable due to the use of the immutable and distributed Solana public blockchain for C2 dead-drops. CrowdStrike wrote in its analysis that the Glassworm operators went further in their eff…

CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs

Simultaneous strike severed operators from infected machines.

CrowdStrike disrupts Glassworm botnet targeting developers

Developers using open-source tools face heightened supply-chain risk after the botnet lost all four of its command channels.

CrowdStrike Disrupts Glassworm Supply Chain Botnet

CrowdStrike announced the coordinated takedown of the Glassworm botnet, a large-scale operation that targeted software developers through compromised open-source packages, malicious VSCode extensions, and poisoned GitHub repositories.  The operation, conducted alongside Google and the Shadowserver Foundation, disrupted the botnet’s infrastructure and severed communication between the operators and infected systems. “In collaboration with Google …