GlassWorm developer-targeting botnet — all four C2 channels (Solana / BitTorrent DHT / Google Calendar / VPS) severed simultaneously by CrowdStrike / Google / Shadowserver

campaign · item:glassworm-developer-botnet-takedown-crowdstrike-google-shadowserver-russia-attributed

Coverage timeline

first 2026-05-28 → last 2026-05-28

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-05-28CTI Daily Brief — 2026-05-28
active_threatsFirst coverage of takedown event. Campaign active since early 2025; Russia-attributed by CrowdStrike (CIS-locale exit check). Compromised 72 OpenVSX extensions, 88 npm packages, 151+ GitHub repos. Infected hosts converted to SOCKS proxies + HVNC. Post-takedown endpoint cleanup required.

Where this entity is cited

active_threats1

Source distribution

crowdstrike.com1 (33%)
techcrunch.com1 (33%)
thehackernews.com1 (33%)

Related entities

actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
incidentitem:actions-cool-issues-helper-github-action-compromised-53-tag×1
EU 20th Russia sanctions package — managed-security-services prohibition (eff. 25 May 2026); Switzerland adopted most measures 22 May
policypolicy:eu-20th-russia-sanctions-mss-prohibition-2026×1
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
annual-reportannual-report:gtig-europe-2025×1
Nx Console VS Code extension 18.95.0 compromised — stolen publisher credentials; 11-minute window 2026-05-18 12:36-12:47 UTC; multi-channel stealer + macOS Python backdoor
incidentitem:nx-console-vs-code-extension-18-95-0-compromised-stolen-publ×1

All cited sources (3)

Items in briefs about GlassWorm developer-targeting botnet — all four C2 channels (Solana / BitTorrent DHT / Google Calendar / VPS) severed simultaneously by CrowdStrike / Google / Shadowserver (1)

CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Defender takeaway: the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published OpenVSX extension allowlist; correlate with developer-endpoint outbound WebRTC connections from node.exe parents.