CrowdStrike, Google Disrupt GlassWorm Developer Supply-Chain Botnet in Coordinated Takedown

Summary

On May 26, 2026, CrowdStrike coordinated with Google and the Shadowserver Foundation to disrupt GlassWorm, a sophisticated developer supply-chain botnet that has compromised developer workstations, CI/CD runners, and source repositories since at least early 2025. The campaign used trojanized VS Code-compatible extensions, malicious npm and Python packages, and poisoned GitHub repositories created with stolen developer credentials to establish persistent access across the software development ecosystem.

Research by Socket identified a cluster of 73 Open VSX impersonation extensions designed to deliver malicious VSIX payloads through obfuscated JavaScript, native .node installers, and transitive package delivery. A wave of 23 new malicious versions was activated across 22 copycat extensions on April 29, 2026, demonstrating active threat development just weeks before the takedown. The botnet's command-and-control infrastructure used sophisticated evasion techniques, including Solana transaction memos, BitTorrent DHT, and Google Calendar event titles alongside direct server connections.

The disruption severs C2 communications with infected systems, creating a critical containment window for defenders to identify and remediate compromised hosts. However, CrowdStrike and security researchers emphasize this is not a cure: any confirmed GlassWorm infection must be treated as a full credential compromise incident. Affected developer machines may have exposed GitHub, npm, Open VSX, SSH, cloud, Kubernetes, package registry, and AI-tooling credentials, requiring complete identity remediation and access revocation across the target organization's infrastructure.

• Infected developer machines represent full credential compromise, not malware cleanup: GitHub, npm, SSH, cloud, and Kubernetes credentials are at risk of exfiltration