GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

GlassWorm takedown cuts off a multi‑layer C2 network targeting developers

In a coordinated operation announced on May 27, 2026, CrowdStrike worked with Google and the Shadowserver Foundation to shut down all four command‑and‑control (C2) channels used by the GlassWorm malware family. The campaign, first spotted in early 2025, has been a prolific supply‑chain threat against software developers, poisoning VS Code extensions, npm modules and Python packages to harvest credentials, crypto wallets and system data.

Why GlassWorm mattered to the developer ecosystem

Developers have privileged access to source‑code repositories, CI/CD pipelines and package registries. When an attacker compromises a single developer workstation, they can push malicious updates to thousands of downstream users. GlassWorm leveraged this leverage in three ways:

1. Trojanized VS Code extensions published on the official Microsoft Marketplace and the open‑source Open VSX registry. The malicious payload reached not only VS Code but also forks such as Cursor, Positron, Windsurf and VSCodium.
2. Compromised npm and PyPI packages that executed a loader capable of downloading additional modules.
3. A WebSocket‑based JavaScript RAT (GlassWormRAT) that installed a Chrome extension to capture screenshots, keystrokes and clipboard data.

Endor Labs researcher Kiran Raj explained, “Once active, the malware searches the host for developer credentials – GitHub tokens, npm auth tokens, OpenVSX keys, even cryptocurrency wallet seeds – and then uses those to hijack repositories and push further malicious releases.”

The four‑layer C2 architecture

What set GlassWorm apart was its defense‑in‑depth C2 design. The operators layered four distinct resolution mechanisms to make takedowns difficult:

Channel	How it worked
Solana blockchain	Server addresses were encoded in the memo fields of on‑chain transactions, acting as a dead‑drop resolver.
BitTorrent DHT	Nodes queried the distributed hash table for configuration blobs, allowing peer‑to‑peer retrieval without a central server.
Google Calendar	Event titles in a dedicated calendar stored the next‑hop C2 URL, blending with legitimate traffic.
Commercial VPS	Traditional IP‑based C2 servers hosted on low‑cost cloud providers for the final payload delivery.

CrowdStrike described the setup as “a dynamic front protecting the actual C2 servers behind multiple layers of indirection.”

The takedown operation

The joint effort targeted each layer simultaneously:

• Blockchain – Researchers identified the specific Solana transaction IDs, reported them to the Solana Foundation, and had the memos flagged as malicious. The offending accounts were frozen.
• DHT – Shadowserver injected bogus hash entries, effectively poisoning the BitTorrent lookup and cutting off the peer‑to‑peer channel.
• Google Calendar – Using Google’s abuse reporting API, the team got the malicious calendar removed and the underlying account suspended.
• VPS – CrowdStrike’s threat‑intel team worked with hosting providers to seize the IP ranges and shut down the servers.

After the operation, infected machines no longer receive new instructions or payloads, and the previously active SOCKS proxies, hidden VNC (HVNC) nodes and WebRTC‑based execution channels have been rendered inert.

Practical takeaways for developers and security teams

1. Vet every third‑party extension – Before installing a VS Code extension, check the publisher’s reputation, review the source code (many are open‑source on GitHub), and monitor for sudden permission changes.
2. Implement token hygiene – Store API tokens in secret‑management solutions, rotate them regularly, and enforce least‑privilege scopes. A compromised token should be revocable without disrupting CI pipelines.
3. Enable supply‑chain scanning – Tools such as GitHub Dependabot, Snyk or OSS Index can detect newly published versions of packages that differ from expected signatures.
4. Monitor for anomalous network traffic – Outbound connections to blockchain nodes, BitTorrent ports or unexpected calendar URLs are red flags. Use egress filtering and DNS‑level threat feeds to block known malicious resolvers.
5. Adopt reproducible builds – By signing build artifacts and verifying signatures in CI, organizations can detect when a package has been tampered with upstream.

What’s next for the threat landscape?

CrowdStrike’s analysis suggests the operators are likely Russia‑based cybercriminals – the malware aborts on systems located in CIS countries and contains Russian‑language comments. While the current infrastructure is down, the tactics (using legitimate services as dead‑drops) are likely to reappear in other campaigns.

Security teams should therefore:

• Keep an eye on emerging abuse of cloud‑based calendars, blockchain memo fields, and peer‑to‑peer networks as C2 vectors.
• Strengthen incident‑response playbooks to include rapid takedown coordination with service providers.
• Educate developers on the risks of re‑using the same credentials across package registries and code‑hosting platforms.

The GlassWorm takedown demonstrates that coordinated, multi‑vendor action can dismantle even the most resilient supply‑chain threats. However, the underlying incentive – the ability to compromise a single developer and weaponize the entire software ecosystem – remains unchanged. Continuous vigilance, strong credential hygiene, and proactive supply‑chain defenses are the best line of defense.

---

For further reading:

• CrowdStrike’s full technical advisory – https://www.crowdstrike.com/resources/glassworm-takedown
• Google’s guidance on protecting Calendar from abuse – https://cloud.google.com/calendar/security
• Shadowserver’s repository of malicious blockchain transactions – https://github.com/shadowserver/solana‑malware