CrowdStrike and Google Dismantle the Glassworm Botnet, A Two-Year Developer Targeting Campaign

The Glassworm botnet exposed how cyberattacks are increasingly shifting toward software developers instead of traditional enterprise or consumer targets.

For more than a year, the operators quietly focused on high-value access points like source code repositories, cloud platforms, CI/CD pipelines, and package registries.

On May 26, 2026, CrowdStrike worked alongside Google and the Shadowserver Foundation to shut down all four command-and-control channels at once.

The operation highlights a growing industry reality: as AI coding tools and automated development pipelines make developers faster and more efficient, they are also creating a larger and more attractive attack surface for cybercriminals.

How Glassworm Operated and Why It Was Hard to Stop

Glassworm used a mix of blockchain networks, peer-to-peer systems, and legitimate web services to keep its infrastructure alive even during takedown attempts. 

Those layers acted as a protective front, hiding the real command-and-control servers behind multiple fallback channels. 

CrowdStrike said disabling only one channel would not have stopped the operation, since the others could quickly restore access, making the coordinated strike across all four channels critical.

The botnet spread through compromised open-source packages, malicious extensions in development tools like VSCode, and poisoned GitHub repositories targeting software developers. 

Once infected, attackers could access credentials, tokens, and signing keys capable of pushing malicious code across downstream dependency chains. 

Glassworm had reportedly operated since early 2025 across Windows, macOS, and Linux systems. Based on CrowdStrike’s analysis, the operators are likely linked to Russia.

What This Means for the Industry Going Forward

Glassworm’s scale exposed a growing problem in software supply-chain security: once malicious packages enter dependency updates, detection often comes too late. Attacks can spread across systems within seconds, long before security teams respond. 

CrowdStrike’s senior vice president of counter adversary operations, Adam Meyers, told CyberScoop the takedown disrupted the botnet’s most critical services and slowed the attackers’ ability to expand.

The operation followed closely behind the Mini Shai-Hulud campaign, which compromised multiple open-source projects through malicious updates involving an OpenAI developer account. 

Together, the incidents show that developer identities and package ecosystems have become primary targets in modern software security, especially as AI reshapes the cybersecurity domain.

Source: Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet