Glassworm Takedown: How CrowdStrike, Google, and Shadowserver Killed the “Unkillable” Developer Botnet
🚨 ACTIVE SUPPLY CHAIN ATTACK — Developers using VS Code, npm, or GitHub: If you had any OpenVSX extensions installed between October 2025 and May 2026, treat your credentials as potentially compromised. Check your logs for 164.92.88[.]210 immediately. Rotate: GitHub tokens, npm tokens, SSH keys, AWS credentials, and 1Password vaults.
Sources: CrowdStrike Counter Adversary Operations · Google Threat Intelligence · Shadowserver Foundation · BleepingComputer · iTnews · eSecurity Planet · Socket · Aikido Security · StepSecurity · Koi Security · Malwarebytes · Scientific American · The Hacker News | Threat actor: Unknown (possible Russia nexus) | Campaign: Glassworm | Takedown date: May 26, 2026, 14:00 UTC
What happened
Yesterday at 14:00 UTC, CrowdStrike, Google, and the Shadowserver Foundation executed a simultaneous precision strike on four separate command-and-control channels of the Glassworm botnet — a global supply chain threat that the security community had spent months describing as impossible to take down.
It worked. The Glassworm botnet is silent. Its operators cannot reach their infected machines. They cannot push new payloads or update instructions. The pipeline that turned compromised developer workstations into a credential-harvesting and network-infiltration operation has been severed.
But the story of how Glassworm was built — and why it took a Solana blockchain wallet takeover, a BitTorrent DHT eclipse attack, and a Google Calendar neutralization to kill it — matters as much as the takedown itself. Glassworm was not just another botnet. It was a proof of concept that attackers can build C2 infrastructure so deeply woven into legitimate internet services that conventional security tooling cannot touch it. It almost worked permanently.
| Field | Detail |
|---|---|
| Campaign name | Glassworm |
| Active since | October 2025 (first wave) |
| Takedown date | May 26, 2026, 14:00 UTC |
| Takedown partners | CrowdStrike · Google · Shadowserver Foundation |
| C2 channels neutralized | Solana blockchain · BitTorrent DHT · Google Calendar · VPS servers |
| Compromised components | 433+ across GitHub, npm, VSCode, OpenVSX |
| GitHub repos poisoned | 300+ |
| Malicious VS Code extensions | 73 sleeper extensions on OpenVSX |
| Developer downloads affected | 50,000+ |
| Credentials targeted | GitHub tokens · npm tokens · SSH keys · AWS keys · 1Password vaults · 49 crypto wallet extensions |
| RAT deployed | ZOMBI — SOCKS proxy + HVNC + WebRTC P2P + fake Chrome extension |
| Primary IOC | 164.92.88[.]210 — any connection = confirmed infection |
| Attribution | Unknown — circumstantial Russia nexus |
Why developers were the target
Glassworm’s operators did not attack enterprise perimeters. They attacked the developers who build the software running inside them.
A developer’s workstation is a master key — source code access, cloud credentials, CI/CD pipeline secrets, SSH keys, AWS access keys, and internal API credentials. Compromise one developer and you have a path into every system they touch. Glassworm’s operators built an infection chain designed to harvest those keys at scale, invisibly.
The defining technique: payloads hidden inside invisible Unicode characters — Unicode Private Use Area characters that render as nothing in any code editor, diff viewer, or code review interface. Literally invisible to human review. As Koi Security put it when the campaign first appeared: “We have built entire systems around the assumption that humans can review code. GlassWorm just proved that assumption wrong.”
Three infection vectors running simultaneously
Vector 1 — Trojanized VS Code extensions. 73 malicious extensions published to OpenVSX disguised as time trackers, code formatters, and JSON utilities. Designed as sleeper packages: benign on install, malicious after a subsequent attacker-pushed update. Targeted VS Code, Cursor, Positron, Windsurf, and VSCodium. 50,000+ downloads before the takedown.
Vector 2 — Poisoned npm and Python packages. Compromised packages on npm and PyPI executed malicious code through postinstall hooks and setup scripts — firing silently during routine pip install or npm install. No user interaction required. Targets included Django apps, ML research code, Streamlit dashboards, and PyPI packages.
Vector 3 — Self-replication via stolen GitHub tokens. Once Glassworm harvested GitHub tokens, it force-pushed malicious code into the default branches of 300+ legitimate repositories — disguised as routine documentation tweaks or version bumps. Any developer who cloned a compromised repo became the next host. The worm replicated itself through developer trust.
Total scope: 433+ compromised components across GitHub, npm, VSCode, and OpenVSX between January and March 2026 — before the April wave added 73 more sleeper extensions, six already activated and delivering payloads.
The payload: ZOMBI
Stage one — credential theft. The initial payload hunted for npm tokens, GitHub tokens, SSH keys, AWS access keys, environment variables, Git credentials, 1Password vault contents, and data from 49 cryptocurrency wallet extensions including MetaMask, Phantom, and Coinbase Wallet. Exfiltrated via AES-256-CBC encryption with dynamically generated per-request keys in custom HTTP headers — making intercepted traffic unreadable.
Stage two — ZOMBI RAT. A full Remote Access Trojan transforming each infected machine into a persistent attacker node: SOCKS proxy routing attacker traffic anonymously through the developer’s machine, WebRTC P2P communication bypassing enterprise firewalls, Hidden VNC giving full silent remote desktop access, and a fake Google Docs Offline Chrome extension logging keystrokes, dumping session tokens, and capturing screenshots in real time.
Connection to the GitHub breach: The May 18 breach of GitHub’s 3,800 internal repositories by TeamPCP used credentials harvested from a poisoned Nx Console VS Code extension — the same developer-targeting playbook Glassworm pioneered in October 2025. DataWater covered the full TeamPCP campaign in our May 21 threat brief.
The four “unkillable” C2 channels
Channel 1 — Solana blockchain. C2 addresses encoded as Base64 strings inside Solana transaction memo fields. Immutable, decentralized, permanent. You cannot take down a blockchain transaction. 50+ URL rotations between November 2025 and March 2026 — every domain takedown instantly bypassed by a new Solana memo.
Channel 2 — BitTorrent DHT. ZOMBI retrieved configuration data from the BitTorrent peer-to-peer network against hardcoded public keys. No central server. No single point of failure. Hundreds of millions of distributed nodes globally. No entity to serve a takedown notice to.
Channel 3 — Google Calendar. Event titles used as dead-drops for Base64-encoded C2 paths. Malware parsed legitimate Calendar events on Google’s own infrastructure. As researchers noted: “Free and legitimate. No one’s blocking Google Calendar.” Blocking it would break enterprise productivity globally.
Channel 4 — Commercial VPS servers. Traditional servers for final-stage payload delivery — the only conventional component, and lowest-priority given the three decentralized layers above.
14:00 UTC, May 26 — the simultaneous strike
The architecture’s one exploitable weakness: all four channels had to be hit at the exact same moment. Take down three and the botnet reroutes through the fourth. At 14:00 UTC on May 26, CrowdStrike, Google, and Shadowserver executed simultaneously:
- Solana wallets taken over — infected machines querying those wallets now receive nothing
- BitTorrent DHT neutralized via Eclipse attack — nodes isolated from the network, unable to retrieve configuration data; Google’s infrastructure scale was required
- Google Calendar dead-drops neutralized — only achievable with Google as a direct operational partner inside their own infrastructure
- VPS infrastructure sinkholed by Shadowserver — all final-stage payload servers simultaneously redirected
CrowdStrike’s published statement: “As a result, infected machines can no longer receive new instructions or payloads.”
🔴 Confirmed IOC — check right now: Search all network logs and endpoint telemetry for connections to 164.92.88[.]210. Any match is a confirmed Glassworm infection. Also check: 217.69.3[.]218 and 199.247.10[.]166. ZOMBI is still installed on every infected machine not yet remediated. All stolen credentials remain in attacker hands.
Why this matters beyond one botnet
Blockchain C2 is now a documented, operational attack technique. There was no security industry playbook for neutralizing C2 infrastructure inside an immutable public blockchain. CrowdStrike and Google had to invent the response. The next threat actor builds it better, having watched this takedown. The arms race escalated at a layer most enterprise security programs do not monitor.
Developers are a primary enterprise attack surface. Glassworm proved the fastest route into enterprise environments in 2026 is not the hardened perimeter — it is the developer workstation behind it, and the packages, extensions, and repositories those developers use every day.
Botnet disruption now requires Big Tech as an operational partner. The Calendar channel required access from inside Google’s own infrastructure. The DHT Eclipse attack required cloud-scale operations. New model: security vendor as coordinator, Big Tech as execution partner.
Immediate remediation steps
1. Hunt for active infections. Search endpoint and network telemetry for 164.92.88[.]210, 217.69.3[.]218, and 199.247.10[.]166. Look for ~/init.json files and suspicious i.js files in recently cloned repos. Check for any Google Docs Offline Chrome extension not manually installed. Review Git commit histories for entries not made by the developer.
2. Rotate all developer credentials. Any developer machine with OpenVSX extensions installed October 2025 – May 2026 is potentially compromised. Rotate GitHub tokens, npm tokens, SSH keys, AWS keys, and 1Password vault access. Revoke and reissue all CI/CD pipeline secrets.
3. Check for macOS persistence. ZOMBI installs a persistent backdoor on macOS. Review ~/Library/LaunchAgents/, /Library/LaunchAgents/, and /Library/LaunchDaemons/ for entries created since October 2025 not placed by known software. Reimage confirmed infected machines.
4. Audit repositories for poisoned commits. Review all repos accessible via stolen tokens for unexpected modifications to setup.py, main.py, app.py, package.json scripts sections, or postinstall hooks.
5. Implement a VS Code extension allowlist. Block all OpenVSX extensions not explicitly approved. Disable auto-update: set extensions.autoUpdate and extensions.autoCheckUpdates to false. Review extension updates manually before applying.
6. Deploy SCA on CI/CD pipelines. Scan for malicious postinstall hooks and setup scripts before any package installation executes.
7. Block Solana RPC endpoints from developer workstations. No legitimate developer tool needs to query a blockchain. Any such outbound connection is a strong indicator of compromise.
8. Enable branch protection on all repos. Require code review for pushes to default branches to block Glassworm’s force-push self-replication technique.
What happens next
The botnet is silent. The operators are cut off. But the cleanup has barely started.
300+ poisoned GitHub repositories still exist in developer commit histories. ZOMBI is still installed on every unremediated machine. Credentials harvested over 18 months remain in attacker hands and may fuel separate intrusion campaigns for years. Glassworm established that blockchain-based decentralized C2 is operationally viable and that the developer supply chain is a high-return attack surface. Both lessons are now in the hands of every threat actor watching.
The security community won this round. The architectural lessons from the loss are already out there.
Sources and further reading
- CrowdStrike — Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet
- iTnews — CrowdStrike, Google slay “unkillable” Glassworm botnet targeting devs
- eSecurity Planet — CrowdStrike Disrupts Glassworm Supply Chain Botnet
- IT Brief Asia — CrowdStrike disrupts Glassworm botnet targeting developers
- BleepingComputer — GlassWorm malware attacks return via 73 OpenVSX sleeper extensions
- The Hacker News — GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
- The Hacker News — GlassWorm Malware Uses Solana Dead Drops to Deliver RAT
- Malwarebytes — GlassWorm attack installs fake browser extension for surveillance
- Scientific American — GlassWorm Malware Hides in Invisible Open-Source Code
- Koi Security — GlassWorm: First Self-Propagating Worm Using Invisible Code
DataWater publishes daily cybersecurity threat briefs. Article #17 — May 27, 2026. See also: Verizon DBIR 2026 (May 26) · TanStack → GitHub breach (May 21) · CVE-2026-42897 Exchange zero-day (May 19) · Cisco SD-WAN CVSS 10.0 (May 27).
