Google and CrowdStrike Shut Down Glassworm Botnet Targeting Open-Source Developers

Cybersecurity firm CrowdStrike, in collaboration with Google and internet security nonprofit Shadowserver Foundation, has disrupted the Glassworm botnet, a cybercriminal operation used to distribute malware and steal credentials from open-source software developers.

According to CrowdStrike, the operation aimed to disrupt a threat group that has spent the last two years targeting the open-source software ecosystem and the broader software supply chain. The attackers focused on developers and projects that serve as trusted building blocks for companies and organisations worldwide.

Recent supply chain attacks have increasingly targeted developers rather than end users. By compromising the people who create and maintain software, attackers can potentially spread malicious code to thousands of downstream users and businesses that rely on those projects.

CrowdStrike noted that developers have become highly attractive targets because gaining access to a single workstation or account can provide a pathway into numerous organisations via trusted software updates and repositories.

The Glassworm group employed several techniques to distribute malicious code. These included publishing harmful extensions on developer marketplaces, running malicious advertising campaigns that tricked users into downloading malware, and exploiting credentials stolen in prior breaches to take over developer accounts and inject malware into legitimate projects.

As a result of these activities, more than 300 GitHub repositories were reportedly compromised and used to spread malicious software throughout the development ecosystem.

During the takedown effort, CrowdStrike said it successfully disrupted four command-and-control channels used by the attackers. This action severed communication between the hackers and infected devices, preventing further malware deployment and limiting the group's ability to manage compromised systems.

According to the company, the attackers relied on a diverse infrastructure that included the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar services, and virtual private servers to maintain control over infected machines.

CrowdStrike did not provide detailed information regarding the legal or technical authority used during the disruption operation. When asked for additional details, company representatives declined to comment beyond information published in their official report.

The takedown comes amid a broader rise in software supply chain attacks. Just last week, several open-source projects were compromised in a separate campaign known as "Mini Sh" i-Hulud," which "esulted in malicious updates being distributed to users. Reports also indicated that at least two OpenAI developers were affected during the incident.

Earlier this year, another high-profile supply chain compromise involved a suspected North Korean threat actor who hijacked Axios, a widely used open-source software development tool relied on by millions of developers worldwide.

The Glassworm disruption highlights the growing focus on protecting software developers and open-source communities, which have become increasingly important targets for cybercriminals seeking large-scale access through trusted software supply chains.