Glassworm Botnet Disrupted by CrowdStrike

CrowdStrike, Google and Shadowserver Disrupt Glassworm Botnet

CrowdStrike, working with Google and Shadowserver (a nonprofit that scans and monitors the internet for cyberattacks), disrupted a botnet used to distribute malware and steal credentials from open-source software developers. The operation targeted the group behind the so-called Glassworm botnet, which CrowdStrike says has been attacking the open source software supply chain for about two years.

Why developers are being targeted

Recent months have seen multiple campaigns that target developers and open source projects. Attackers compromise developer accounts or inject malicious code into widely used projects. When organizations trust and consume that code, they can unknowingly deploy malware.

"Adversaries are no longer just targeting products, they're targeting the developers who build them," CrowdStrike wrote. "Compromising a single developer's workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users."

How Glassworm spread malware

CrowdStrike describes several tactics Glassworm operators used to push malicious code:

• Publishing malicious extensions on developer marketplaces.
• Malvertising: paying for sponsored search results or ads that trick developers into downloading malware.
• Using credentials stolen in earlier breaches to hijack developer accounts and plant malware directly into repositories.

According to CrowdStrike, the attackers were able to poison more than 300 GitHub repositories. Those compromised repositories could in turn distribute malicious updates to downstream projects and organizations.

Technical details of the takedown

The takedown removed four command-and-control (C2) channels the group relied on. Cutting those C2 channels prevented the hackers from accessing infected machines and delivering additional malware.

CrowdStrike says the attackers used an eclectic mix of infrastructure for their C2 systems, including:

• The Solana blockchain.
• The BitTorrent peer-to-peer network.
• Google Calendar as an unconventional control channel.
• Virtual private servers (VPS) rented or compromised by the operators.

Legal and technical authority

It is unclear under what legal or technical authority CrowdStrike and its partners executed the takedown. CrowdStrike did not immediately comment when asked for details about the legal basis or the exact methods used.

Related supply-chain attacks

Supply-chain attacks against open source projects have increased recently. Examples include:

• "Mini Shai-Hulud": A recent campaign that compromised several open source projects and pushed malicious updates. An OpenAI developer was reportedly targeted in that operation.
• A March incident where a suspected North Korean actor hijacked the Axios open source tool, which is widely used by developers.

These incidents highlight how attackers focus on the trust relationships in software development. By compromising a single package, plugin, or developer account, attackers can reach many organizations downstream.

How developers and organizations can reduce risk

To defend against these threats, developers and organizations should consider several practical steps:

• Use strong, unique credentials and enable multi-factor authentication on developer accounts and package registries.
• Review and audit dependencies regularly. Use dependency scanners and supply-chain security tools.
• Monitor for suspicious activity like unexpected package publishes or changes to CI/CD pipelines.
• Harden developer workstations and limit administrative privileges.
• Educate teams about malvertising and phishing tactics that can lead to credential theft.

Contact and reporting

If you have information about the Glassworm group or other supply-chain attacks, contact CrowdStrike or relevant incident response teams. For media or reporting, Lorenzo Franceschi-Bicchierai at TechCrunch accepts secure tips by Signal (+1 917 257 1382), Telegram, Keybase and Wire @lorenzofb, or email [email protected]. Use non-work devices for sensitive tips.

Note: This article is relevant to readers following cybersecurity and gaming news, since software supply-chain compromises can affect game development tools, libraries, and related ecosystems.

About the reporter: Lorenzo Franceschi-Bicchierai is a senior writer at TechCrunch covering hacking, cybersecurity, surveillance and privacy.