- CrowdStrike, Google, and Shadowserver jointly dismantled the Glassworm botnet on May 26, 2026, by disrupting all four of its resilient C2 channels simultaneously
- Active since early 2025, Glassworm spread via trojanized VSCode extensions, poisoned npm/Python packages, and compromised GitHub repos, stealing developer credentials and deploying GlasswormRAT across Windows, macOS, and Linux
- The takedown highlights a shift in threat focus from products to developers, with coordinated precision required to neutralize its blockchain, BitTorrent DHT, Google Calendar, and VPS‑based infrastructure
Cybersecurity researchers from CrowdStrike, Google, and the Shadowsever Foundation have teamed up to take down a major botnet targeting software developers all over the world.
In an announcement, the company said on May 26, 2026, the taskforce shut down the Glassworm botnet by simultaneously disrupting all four of its C2 channels.
Glassworm is a global botnet, active since at least early 2025, and operated by well-sourced, persistent criminals likely based in Russia. It specifically targeted software developers through the open-source supply chain mostly because of what they have access to: source code repositories, cloud platforms, CI/CD pipelines, and package registries.
Killing the unkillable
“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software,” CrowdStrike explained. “Adversaries are no longer just targeting products, they're targeting the developers who build them.”
The botnet propagated through trojanized VSCode extensions, malicious code snuck into npm and Python packages, as well as poisoned GitHub repositories (at least 300 of them). The malware performed information theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication), and deployed a full-featured remote access tool called GlasswormRAT, affecting Windows, macOS, and Linux systems.
The botnet's C2 architecture used four channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS servers - all of which were designed to resist conventional takedown efforts. This combination earned Glassworm the epithet of the ‘unkillable botnet’ and warranted “precision and timing” for the takedown.
“Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute,” CrowdStrike explained. “All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.
