Malware & Threats GlassWorm Botnet Disrupted Security firms took down all four command-and-control (C&C) channels used by the GlassWorm malware. By Ionut Arghire | May 27, 2026 (6:10 AM ET) Flipboard Reddit Whatsapp Whatsapp Email The GlassWorm botnet that has been targeting the open source software ecosystem for over six months has been disrupted, cybersecurity firm CrowdStrike reports. Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm ’s four command-and-control (C&C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads. The malware has been using the Solana blockchain for C&C infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial VPS providers serving as backup C&Cs. GlassWorm’s operators have been encoding C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted. The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&C paths in event titles, and the traditional C&C servers were used to host payloads. “The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C&C servers behind multiple layers of indirection,” CrowdStrike notes . Advertisement. Scroll to continue reading. By taking down all four channels at the same time, the cybersecurity firms severed the operators’ access to the infected machines and their ability to deliver new instructions. First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye. The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub. In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised. “The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says. GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines. The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise. According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments. “This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes. In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections. “As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes. Related: ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested Related: Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire 185,000 Likely Impacted by 7-Eleven Data Breach Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands 266,000 Affected by Data Breach at Radiology Associates of Richmond Laravel-Lang Packages Poisoned for Malware Delivery DocketWise Data Breach Impacts 143,000 Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains Latest News The Credential Crisis: How Stolen Credentials Defeat Modern Security ‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day Anthropic Releases New Claude Sandbox, Security Guidance Plugin AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security Iranian APT Targets Aviation, Software Companies With Updated Tools Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Joe Chen has become Chief Technology Officer at Trellix. Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO. SecureAuth has named Mark van Oppen as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email