1. Forum
  2. Fidonet
  3. CONSPRCY

  • Glassworm botnet is no more

    From Mike Powell@1:2320/105 to All on Thu May 28 08:28:12 2026
    'Adversaries are no longer just targeting products, they're targeting the developers who build them': CrowdStrike takes down major botnet targeting developers across the world

    Date:
    Wed, 27 May 2026 17:35:00 +0000

    Description:
    The Glassworm botnet is no more, thanks to coordinated efforts between CrowdStrike, Google, and the Shadowserver Foundation.

    FULL STORY
    Cybersecurity researchers from
    CrowdStrike, Google , and the Shadowsever Foundation have teamed up to take down a major botnet targeting software developers all over the world.

    In an announcement , the company said on May 26, 2026, the taskforce shut
    down the Glassworm botnet by simultaneously disrupting all four of its C2 channels. Glassworm is a global botnet, active since at least early 2025, and operated by well-sourced, persistent criminals likely based in Russia. It specifically targeted software developers through the open-source supply
    chain mostly because of what they have access to: source code repositories, cloud platforms, CI/CD pipelines, and package registries.

    This takedown matters beyond the botnet. Glassworm marked a
    significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software, CrowdStrike
    explained. Adversaries are no longer just targeting products, they're targeting the developers who build them.

    The botnet propagated through trojanized VSCode extensions, malicious code snuck into npm and Python packages, as well as poisoned GitHub repositories (at least 300 of them). The malware performed information theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication), and deployed a full-featured remote access tool called GlasswormRAT, affecting Windows, macOS, and Linux systems .

    The botnet's C2 architecture used four channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS servers - all of which were designed to resist conventional takedown efforts. This combination earned Glassworm the epithet of the unkillable botnet and warranted precision and timing for the takedown.

    Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute, CrowdStrike explained. All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.

    Link to news story: https://www.techradar.com/pro/security/adversaries-are-no-longer-just-targetin g-products-theyre-targeting-the-developers-who-build-them-crowdstrike-takes-do wn-major-botnet-targeting-developers-across-the-world

    $$
    --- MultiMail/DOS
    * Origin: Capitol City Hub (1:2320/105)