Security firms say they disrupted the GlassWorm botnet, a malware operation that infected developers and open source software ecosystems and could be used to steal credentials, cryptocurrency wallet data, and remote access to infected machines. CrowdStrike says GlassWorm spread through trojanized Visual Studio extensions on OpenVSX and later through GitHub and compromised Python projects, while using Solana blockchain transactions, Google Calendar, BitTorrent and VPS-hosted servers as layered command-and-control channels. The malware hid code with Unicode variation selectors and stole npm, GitHub and Git credentials, creating downstream software supply-chain risk.
Why it matters: This matters because a compromise of developers can spread to the software and updates many other organizations rely on. Teams should check for beaconing to 164.92.88[.]210, investigate developer machines and repositories for compromise, rotate exposed credentials, and review software supply-chain protections.
2026.05.27
99% relevant
This article is another report on the same GlassWorm disruption event, adding operational detail on the takedown timing, the four command-and-control channels hit simultaneously, and specifics on GlassWorm’s use of Solana memos, Google Calendar, BitTorrent DHT, and VPS-hosted payload servers.
Ionut Ilascu
2026.05.27
97% relevant
This is the same underlying event: the coordinated takedown of the GlassWorm botnet. The article adds specific detail on the botnet's resilient command-and-control design across Solana transaction memos, BitTorrent DHT, Google Calendar dead drops, and direct VPS servers, plus a post-takedown beacon IP and mention of published YARA detection rules.
Ionut Arghire
2026.05.27
100% relevant
This article establishes a distinct tracked event: the disruption of the GlassWorm developer-targeting botnet and new details on its multi-channel command-and-control infrastructure, scope across ecosystems, and defender actions.
← Back to all stories