A coordinated cybersecurity operation has disrupted a botnet known as “Glassworm” that targeted software developers through malicious open-source packages, compromised GitHub repositories, and infected development tools.
The takedown took place on May 26 with support from CrowdStrike, Google, and the Shadowserver Foundation, targeting all four of the botnet’s command-and-control channels simultaneously to cut off communication with infected systems.
Glassworm was described as a global malware operation focused on compromising developers and software supply chains across Windows, macOS, and Linux environments. The malware was designed to steal credentials, maintain remote access, and distribute additional payloads through developer workflows and open-source ecosystems.
Crowdstrike
Researchers said the attackers spread the malware through poisoned open-source packages, malicious Visual Studio Code extensions, and tampered GitHub repositories that appeared legitimate to developers. Once installed, the malware could harvest authentication tokens, cloud credentials, and other sensitive information commonly stored in development environments.
Crowdstrike
The operation’s organizers did not publicly identify the threat actors behind Glassworm or disclose how many systems were affected. However, researchers warned that developers and organizations relying heavily on open-source tooling remain attractive targets for supply chain attacks.
The disruption follows a growing wave of attacks targeting developer infrastructure and CI/CD environments in recent months, including campaigns involving malicious GitHub Actions workflows and compromised software dependencies.
Organizations are being urged to review developer environments for suspicious packages and unauthorized extensions, rotate exposed credentials, and monitor systems for signs of compromise linked to the Glassworm infrastructure.
Leave a Reply