- CrowdStrike, Google, and Shadowserver jointly took down the Glassworm botnet on May 26, 2026, by simultaneously disrupting its four resilient C2 channels.
- Active since early 2025, Glassworm spreads via trojanized VSCode extensions, poisoned npm/Python packages, and compromised GitHub repositories, stealing developer credentials and deploying GlasswormRAT on Windows, macOS, and Linux.
- The takedown highlights a shift in threat focus from products to developers, with coordinated precision required to neutralize its blockchain, BitTorrent DHT, Google Calendar and VPS-based infrastructure.
Cybersecurity researchers from CrowdStrike, Google, and the Shadowsever Foundation have teamed up to take down a large botnet targeting software developers around the world.
In a statement, the company announced on May 26, 2026 that the task force shut down the Glassworm botnet by disrupting its four C2 channels simultaneously.
Glassworm is a global botnet, active since at least early 2025, and operated by persistent and well-sourced criminals, likely based in Russia. It specifically targeted software developers across the open source supply chain, primarily because of what they have access to: source code repositories, cloud platforms, CI/CD pipelines, and package registries.
Kill the invincible
“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software,” CrowdStrike explained. “Adversaries are no longer just targeting products, they are targeting the developers who build them.”
The botnet spread via trojanized VSCode extensions, malicious code planted in npm and Python packages, and poisoned GitHub repositories (at least 300 of them). The malware performed information theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication) and deployed a comprehensive remote access tool called GlasswormRAT, affecting Windows, macOS and Linux systems.
The botnet’s C2 architecture used four channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS servers, all designed to resist conventional takedown efforts. This combination earned Glassworm the nickname “invincible botnet” and ensured “accuracy and timing” of the takedown.
“Removing just one channel would have left the others operational, allowing operators to quickly restock,” CrowdStrike explained. “All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
