www.it-connect.fr
Supply Chain Alert: Glassworm Botnet Targeting GitHub and VS Code Taken Down
The Glassworm botnet has been dismantled thanks to a joint operation led by CrowdStrike, Google, and The Shadowserver Foundation. This malware specifically targeted developers by compromising open source tools, infecting extensions, and setting up fake GitHub repositories.
As a reminder, Glassworm is a worldwide botnet that targets developers through the software supply chain. By extension, organizations are also directly targeted through the infection of these machines. The malware is capable of infecting both Windows, Linux, and macOS machines.
Neutralizing the C2 Infrastructure
On May 26, 2026, a coordinated action made it possible to shut down the Glassworm botnet. Led by CrowdStrike, Google, and the Shadowserver Foundation, this takedown operation simultaneously targeted the four "C2" (Command & Control) communication channels used by the botnet. The goal was to cut off all communication at once between infected machines and the cybercriminals.
"The Glassworm operators designed their infrastructure with resilience in mind. The botnet's C2 architecture relied on four distinct channels, built to withstand traditional takedown attempts.", CrowdStrike researchers note.
Although the takedown operation was successful, we do not know the exact number of systems affected. In any case, this is good news: there has been a growing wave of attacks targeting development environments and CI/CD environments over the past few months (notably via TeamPCP).
The TTPs: Infiltrating Development Tools
To trap developers, and I would even say IT professionals in general, the attackers behind Glassworm built an infection chain that exploits the trust placed in tools from the open source ecosystem. In their report, CrowdStrike researchers highlighted several propagation methods:
- Poisoning open source packages,
- Distributing fake malicious extensions for the free Visual Studio Code tool,
- Using malvertising,
- Creating GitHub repositories that appeared legitimate to developers.
Once a machine was infected, the Glassworm malware was able to collect sensitive information, ranging from authentication tokens (valuable tokens) to cloud credentials. Its botnet behavior comes from the fact that Glassworm is designed to maintain persistent remote access and deliver additional payloads within developers' workflows.
"More than 300 GitHub repositories were compromised using developer credentials stolen during earlier Glassworm infections, with malicious code forced into the default branches.", the report specifies.
