In a significant victory for cybersecurity, the Glassworm botnet, known for its innovative supply chain attacks on developers, has been dismantled. This achievement follows a strategic takedown of its resilient command-and-control infrastructure orchestrated by CrowdStrike, Google, and The Shadowserver Foundation. The botnet had been leveraging Solana blockchain transactions and the BitTorrent DHT network to evade traditional security measures.

Glassworm's campaigns began in October 2025, initially targeting developers through malicious extensions in OpenVSX and Microsoft VS Code. These extensions were designed to steal cryptocurrency wallets and developer credentials. The attacks later expanded to include GitHub repositories and npm packages, with a notable incident in March affecting over 400 software artifacts. More recently, Glassworm had embedded dormant extensions in OpenVSX, capable of activating their malicious payloads post-update.

The persistence of the Glassworm threat can be attributed to its sophisticated C2 infrastructure, which employed non-traditional communication channels. This setup made it challenging to dismantle as it utilized blockchain, peer-to-peer, and legitimate web services for communication. Disrupting one channel alone would have been ineffective, necessitating a coordinated effort to simultaneously target all four C2 channels.

The successful takedown means that infected machines can no longer receive new instructions or payloads from the botnet operators. Presently, machines compromised by Glassworm are signaling to the IP address 164.92.88.210, managed by CrowdStrike. Organizations are urged to scan their networks for this indicator and take immediate remediation actions. Additionally, YARA rules have been made available by researchers to help identify infections on potentially impacted systems.