'Adversaries are no longer just targeting products, they're targeting the developers who build them': CrowdStrike takes down major botnet targeting developers across the world

CrowdStrike, Google, and Shadowserver collectively dismantled the Glassworm botnet on Could 26, 2026, by disrupting all 4 of its resilient C2 channels concurrently
Energetic since early 2025, Glassworm unfold by way of trojanized VSCode extensions, poisoned npm/Python packages, and compromised GitHub repos, stealing developer credentials and deploying GlasswormRAT throughout Home windows, macOS, and Linux
The takedown highlights a shift in risk focus from merchandise to builders, with coordinated precision required to neutralize its blockchain, BitTorrent DHT, Google Calendar, and VPS‑based mostly infrastructure

Cybersecurity researchers from CrowdStrike, Google, and the Shadowsever Basis have teamed as much as take down a significant botnet concentrating on software program builders all around the world.

In an announcement, the corporate mentioned on Could 26, 2026, the taskforce shut down the Glassworm botnet by concurrently disrupting all 4 of its C2 channels.

Glassworm is a worldwide botnet, energetic since no less than early 2025, and operated by well-sourced, persistent criminals doubtless based mostly in Russia. It particularly focused software program builders via the open-source provide chain largely due to what they’ve entry to: supply code repositories, cloud platforms, CI/CD pipelines, and package deal registries.

Newest Movies From

Killing the unkillable

“This takedown issues past the botnet. Glassworm marked a major shift within the risk panorama that ought to function a wake-up name for each group that ships or consumes software program,” CrowdStrike defined. “Adversaries are now not simply concentrating on merchandise, they’re concentrating on the builders who construct them.”

The botnet propagated via trojanized VSCode extensions, malicious code snuck into npm and Python packages, in addition to poisoned GitHub repositories (no less than 300 of them). The malware carried out info theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication), and deployed a full-featured distant entry instrument referred to as GlasswormRAT, affecting Home windows, macOS, and Linux systems.

The botnet’s C2 structure used 4 channels: the Solana blockchain, BitTorrent DHT, Google Calendar occasion titles, and conventional VPS servers – all of which have been designed to withstand typical takedown efforts. This mix earned Glassworm the epithet of the ‘unkillable botnet’ and warranted “precision and timing” for the takedown.

“Taking down just one channel would have left the others operational, permitting the operators to shortly reconstitute,” CrowdStrike defined. “All 4 channels needed to be disrupted concurrently in a coordinated effort. Consequently, contaminated machines can now not obtain new directions or payloads.