GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure  Ravie Lakshmanan  May 27, 2026 Malware / Threat Intelligence CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm , a persistent software chain campaign targeting software developers through malicious packages and extensions. "Since at least early 2025, GlassWorm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries," CrowdStrike said . The development comes as developers have increasingly become lucrative targets for pulling off software supply chain attacks, enabling attackers to leverage a single compromised workstation to impact thousands of downstream organizations and users at once. GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium. The campaign is also known to have introduced malicious code through compromised npm and Python packages. The end goal of the attacks is to deliver a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities. Subsequent iterations of GlassWorm have been found to deploy a Websocket-based JavaScript RAT called GlassWormRAT to steal web browser data and run arbitrary code, including installing a Google Chrome extension that, in turn, collects sensitive data, including screenshots, keystrokes, and clipboard content, from the infected system. "Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads," Endor Labs researcher Kiran Raj said . "Infected hosts are converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes (via WebRTC or spawned Node.js processes). That gives attackers anonymized network access into corporate and personal networks and a platform to propagate further." Cumulatively, the malicious activity is said to have poisoned more than 300 GitHub repositories using stolen developer credentials. What made the operation notable was its use of four distinct C2 channels for improved resilience - Using the Solana blockchain as a dead drop resolver by storing C2 server addresses in the memo fields of blockchain transactions Querying the BitTorrent Distributed Hash Table (DHT) peer-to-peer network to retrieve configuration data Employing Google Calendar as a dead drop to fetch the C2 server address from event titles Directly connecting to C2 infrastructure hosted on commercial VPS providers "The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting the actual C2 servers behind multiple layers of indirection," CrowdStrike said. As a result of the takedown, all four channels have been neutralized simultaneously in a coordinated effort so that infected machines can no longer receive new instructions or payloads. Describing the GlassWorm operators as "well-resourced and persistent," the cybersecurity company attributed the activity to likely Russia-based cybercriminals given that the malware terminates execution on systems located in the Commonwealth of Independent States (CIS) countries and contains Russian-language comments. "The software supply chain remains one of the most consequential attack surfaces in modern computing," CrowdStrike concluded. "Adversaries are turning an organization's dependencies on tools, updates, and libraries into weaponized delivery mechanisms and force multipliers." "The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. GlassWorm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  CrowdStrike , cybersecurity , GitHub , Google , Malware , NPM , Python , Supply Chain Attack , Threat Intelligence , VS Code ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure