CrowdStrike, Google, and The Shadowserver Foundation disrupted the Glassworm botnet by cutting off four coordinated command-and-control channels tied to Solana blockchain transactions, BitTorrent DHT, Google Calendar, and direct VPS connections. The botnet had been used since October 2025 in supply-chain attacks against developers through malicious OpenVSX, VS Code, GitHub, and npm artifacts that stole wallets and credentials. #Glassworm #CrowdStrike #Google #ShadowserverFoundation #OpenVSX #VSCode #GitHub #npm #Solana #BitTorrent
Keypoints
- Glassworm targeted developers through malicious extensions and packages.
- The campaigns stole cryptocurrency wallets and developer credentials.
- The botnet used resilient C2 layers across Solana, BitTorrent DHT, Google Calendar, and VPS servers.
- CrowdStrike, Google, and The Shadowserver Foundation disrupted all four channels at once.
- Infected hosts now beacon to 164.92.88[.]210, and YARA rules were published for detection.