'Adversaries are no longer just targeting products, but the developers who create them': CrowdStrike takes down major botnets targeting developers around the world

CrowdStrike, Google, and Shadowserver jointly took down the Glassworm botnet on May 26, 2026, by disrupting its four resilient C2 channels simultaneously.
Active since early 2025, Glassworm spread via trojanized VSCode extensions, poisoned npm/Python packages, and compromised GitHub repositories, stealing developer credentials and deploying GlasswormRAT on Windows, macOS, and Linux.
The removal highlights a shift in the focus of threats from products to developers, with coordinated precision required to neutralize its blockchain, BitTorrent DHT, Google Calendar and VPS-based infrastructure.

Cybersecurity researchers from CrowdStrike, Google, and the Shadowsever Foundation have teamed up to take down a major botnet targeting software developers around the world.

In an announcement, the company said on May 26, 2026, the task force shut down the Glassworm botnet by simultaneously disrupting its four C2 channels.

Glassworm is a global botnet, active since at least early 2025 and operated by persistent and knowledgeable criminals, likely based in Russia. It specifically targeted software developers across the open source supply chain, primarily because of what they have access to: source code repositories, cloud platforms, CI/CD pipelines, and package registries.

Kill the indestructible

“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for all organizations shipping or consuming software,” CrowdStrike explained. “Adversaries are no longer just targeting products, but the developers who create them.”

The botnet spread via trojanized VSCode extensions, malicious code infiltrated into npm and Python packages, as well as poisoned GitHub repositories (at least 300 of them). The malware performed data theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication), and implemented a full-featured remote access tool called GlasswormRAT, affecting Windows, macOS, and Linux systems.

The botnet’s C2 architecture used four channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS servers, all of which were designed to resist conventional takedown efforts. This combination earned Glassworm the epithet “unkillable botnet” and guaranteed “precision and timing” for removal.

“Eliminating just one channel would have left the others operational, allowing operators to quickly reconstitute,” CrowdStrike explained. “We had to disrupt all four channels simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.