Cybersecurity

Major GlassWorm Takedown Disrupts Resilient Supply Chain Attacks

May 27, 2026 4 min read Source: Thehackernews 4 views

A global cybersecurity coalition has successfully dismantled the command-and-control infrastructure behind GlassWorm, a sophisticated malware campaign that has relentlessly targeted software developers. This significant disruption neutralizes a pervasive threat responsible for widespread supply chain compromises and credential theft across hundreds of software repositories.

GlassWorm operators strategically exploited popular developer tools, including trojanized VS Code extensions and malicious npm and Python packages, to infect development environments.
The malware was designed to exfiltrate critical developer credentials, cryptocurrency wallets, and system data, further converting compromised machines into covert SOCKS proxies and remote execution nodes.
Its command-and-control mechanisms demonstrated extraordinary resilience, leveraging decentralized technologies like blockchain and peer-to-peer networks alongside legitimate web services to obscure its true infrastructure.

Intelligence briefing: Why this matters: This incident highlights the critical need for robust supply chain security frameworks and multi-layered threat intelligence to counter state-aligned criminal groups leveraging advanced evasion techniques.

CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions.

"Since at least early 2025, GlassWorm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries," CrowdStrike said.

The development comes as developers have increasingly become lucrative targets for pulling off software supply chain attacks, enabling attackers to leverage a single compromised workstation to impact thousands of downstream organizations and users at once.

GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, thereby making it possible to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium.

The campaign is also known to have introduced malicious code through compromised npm and Python packages. The end goal of the attacks is to deliver a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities.

Subsequent iterations of GlassWorm have been found to deploy a Websocket-based JavaScript RAT called GlassWormRAT to steal web browser data and run arbitrary code, including installing a Google Chrome extension that, in turn, collects sensitive data, including screenshots, keystrokes, and clipboard content, from the infected system.

"Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads," Endor Labs researcher Kiran Raj said.

"Infected hosts are converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes (via WebRTC or spawned Node.js processes). That gives attackers anonymized network access into corporate and personal networks and a platform to propagate further."

Cumulatively, the malicious activity is said to have poisoned more than 300 GitHub repositories using stolen developer credentials. What made the operation notable was its use of four distinct C2 channels for improved resilience -

Using the Solana blockchain as a dead drop resolver by storing C2 server addresses in the memo fields of blockchain transactions

Querying the BitTorrent Distributed Hash Table (DHT) peer-to-peer network to retrieve configuration data

Employing Google Calendar as a dead drop resolver to fetch the C2 server address from event titles

Directly connecting to C2 infrastructure hosted on commercial VPS providers

"The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting the actual C2 servers behind multiple layers of indirection," CrowdStrike said.

As a result of the takedown, all four channels have been neutralized simultaneously in a coordinated effort so that infected machines can no longer receive new instructions or payloads.

Describing the GlassWorm operators as "well-resourced and persistent," the cybersecurity company attributed the activity to likely Russia-based cybercriminals given that the malware terminates execution on systems located in the Commonwealth of Independent States (CIS) countries and contains Russian-language comments.

"The software supply chain remains one of the most consequential attack surfaces in modern computing," CrowdStrike concluded. "Adversaries are turning an organization's dependencies on tools, updates, and libraries into weaponized delivery mechanisms and force multipliers."

"The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. GlassWorm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems."

Analysis

The coordinated international effort to neutralize GlassWorm's highly adaptive C2 channels sets a precedent for effective counter-cybercrime operations against well-resourced adversaries. It underscores the enduring strategic vulnerability of the software development ecosystem, where a single compromised developer can cascade risks across countless downstream organizations. This reinforces that defenders must match the ingenuity of attackers who are increasingly weaponizing foundational development tools and platforms.

supply chain attackmalware takedowncybercrimesoftware securitydeveloper targetingcommand and controlrussia

📰 Primary Source: Thehackernews