- Major cybersecurity firms CrowdStrike, Google, and Shadowserver Foundation disrupted a persistent developer-targeting botnet named GlassWorm on May 27, 2026.
- The botnet used trojanized VS Code extensions and malicious code packages to steal developer credentials, cryptocurrency wallets, and system data, according to researchers.
- The takedown neutralized the botnet’s four distinct and resilient command-and-control channels simultaneously, cutting off infected machines from new instructions.
In a significant coordinated action on May 27, 2026, a coalition led by CrowdStrike successfully dismantled the command infrastructure of the GlassWorm botnet, a persistent cybercriminal campaign targeting software developers globally. The operation, conducted in partnership with Google and the Shadowserver Foundation, simultaneously disrupted all four of the botnet’s resilient command channels, according to a CrowdStrike report. This development highlights the escalating threat to the software supply chain, where a single compromised developer workstation can impact thousands of downstream organizations.
GlassWorm operators, described as “well-resourced and persistent,” had conducted a multi-pronged campaign since early 2025. They primarily used malicious VS Code extensions published on marketplaces to target developers using popular code editors, as detailed by researchers. The campaign’s end goal was to deploy a sophisticated data-theft framework capable of credential harvesting and cryptocurrency wallet exfiltration.
Once active, the malware aggressively searched infected hosts for developer credentials and crypto wallets. Consequently, infected systems were converted into covert infrastructure like proxies and remote execution nodes, providing attackers anonymized network access. This access allowed them to poison over 300 GitHub repositories using stolen credentials.
The botnet’s architecture was notably resilient, employing a combination of blockchain, peer-to-peer, and legitimate web services for command-and-control. However, the coordinated takedown neutralized all these channels, preventing infected machines from receiving new payloads. CrowdStrike attributed the activity to likely Russia-based cybercriminals, citing Russian-language code and execution safeguards for systems in CIS countries.
“The software supply chain remains one of the most consequential attack surfaces in modern computing,” CrowdStrike concluded. The firm warned that as long as developer environments remain under-protected, every organization that consumes software inherits significant risk from these supply chain attacks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
