Disrupting Glassworm: Inside CrowdStrike's Takedown of a Developer-Targeting Botnet
CrowdStrike, Tuesday, May 26th, 2026
CrowdStrike disrupted the Glassworm botnet targeting developers through supply chain attacks.
On May 26, 2026, CrowdStrike's Counter Adversary Operations team, in collaboration with Google and the Shadowserver Foundation, executed a coordinated takedown of the Glassworm botnet by simultaneously striking all four of its command-and-control channels.
Glassworm represented a significant shift in the threat landscape by targeting software developers rather than products, as developers have access to source code repositories, CI/CD pipelines, and package registries.
The botnet operators conducted a multi-pronged campaign using trojanized VSCode extensions published to the OpenVSX marketplace and compromised npm and Python packages with malicious code.
This takedown highlights the critical vulnerability in the software supply chain and underscores the importance of protecting developer environments from sophisticated adversaries.