Neutralizing GlassWorm: Developer‑Targeting Attack Infrastructure Disrupted

Colleagues: CrowdStrike, together with Google and Shadowserver, has taken down all GlassWorm C2 infrastructure. The campaign, active in 2025, targeted developers via trojanized VS Code extensions and compromised npm/Python packages.
Key points:
- Four resilient channels: Solana (memo), BitTorrent DHT, Google Calendar and VPS.
- Credential and wallet theft; deployment of GlassWormRAT and a malicious Chrome extension.
- Infected hosts used as proxies, HVNC, and remote-execution nodes; >300 repositories compromised.
Why it matters: software supply‑chain attacks endanger many organizations — securing developer environments and CI/CD pipelines is essential.
What will you change in defending developer environments?
#cybersecurity #supplychain #DevSecOps


Latest comments
No comments yet.