Researchers disrupted the Glassworm botnet after dismantling its resilient command-and-control infrastructure during a coordinated cybersecurity operation. The malware campaign targeted software developers through malicious packages, poisoned repositories, and compromised development tools.
Security experts said Glassworm relied on several decentralized communication methods designed to survive traditional takedown efforts. The operation highlights the growing sophistication of modern supply-chain attacks targeting developers and software ecosystems.
Researchers Coordinated a Large Infrastructure Takedown
CrowdStrike confirmed that it worked with Google and the Shadowserver Foundation to disrupt the Glassworm botnet infrastructure. Investigators targeted all communication channels used by the malware at the same time.
Researchers explained that the malware relied on a highly resilient architecture built around several decentralized technologies. The infrastructure reportedly included:
- Solana blockchain transactions
- BitTorrent distributed networks
- Google Calendar dead-drop techniques
- Traditional VPS servers
The malware used these systems to receive commands and retrieve payloads while avoiding single points of failure. Investigators warned that removing only one communication channel would not have stopped the operation completely.
By targeting every communication method simultaneously, researchers prevented infected systems from receiving new instructions or downloading additional malware payloads.
Glassworm Targeted Developers and Software Ecosystems
Researchers said the Glassworm botnet mainly targeted software developers and development environments. The campaign focused heavily on repositories, cloud platforms, CI/CD pipelines, and software package ecosystems.
Attackers reportedly distributed malware through several methods, including:
- Malicious VSCode extensions
- Compromised npm packages
- Poisoned Python packages
- Stolen GitHub credentials
- Backdoored repositories
Investigators said the attackers compromised hundreds of GitHub repositories using stolen developer credentials. Researchers warned that attacks targeting developers create especially dangerous supply-chain risks because compromised systems can expose production environments and downstream customers.
The malware reportedly affected Windows, Linux, and macOS systems.
Researchers Described a Highly Resilient Infrastructure
Security researchers said Glassworm stood out because of its unusual infrastructure design. Instead of relying on traditional centralized command servers, the malware used several overlapping communication systems.
Researchers explained that the operation used Solana blockchain transactions to store encoded infrastructure information. The malware also leveraged BitTorrent peer-to-peer networks to retrieve configuration data without depending on centralized systems.
In some cases, the attackers even used Google Calendar event titles to hide encoded command-and-control details. Researchers said these techniques made the operation significantly harder to disrupt using conventional takedown methods.
The campaign demonstrates how threat actors continue adopting decentralized technologies to improve malware resilience and reduce infrastructure exposure.
Supply-Chain Threats Continue to Expand
Researchers warned that software developers remain attractive targets for cybercriminal groups. A single compromised development environment can potentially affect thousands of users through infected software updates or dependencies.
Supply-chain attacks continue growing because trusted software ecosystems create ideal opportunities for malware distribution. Security experts recommended stronger credential protections, stricter repository controls, and better monitoring of third-party packages and extensions.
Organizations should also review development environment security policies and implement stronger access management controls to reduce exposure.
Conclusion
The Glassworm botnet was disrupted after researchers coordinated a simultaneous takedown of its resilient command-and-control infrastructure. The malware operation targeted developers through supply-chain attacks involving malicious packages, compromised repositories, and infected development tools.
Researchers warned that decentralized communication systems are making modern malware campaigns harder to disrupt. The operation also highlights the growing importance of securing software development environments against advanced supply-chain threats.


0 responses to “Glassworm Botnet Disrupted After Major Infrastructure Takedown”