Data Breach TodayArchived May 27, 2026✓ Full text saved
Suspected Russian Crime Group Built Resilient Command-and-Control Infrastructure In a joint operation, CrowdStrike, Google and Shadowserver Foundation disrupted infrastructure used by the Glassworm cybercrime group, cutting off attackers from victims. The group has wielded a remote access Trojan to repeatedly target developers of widely used open-source software.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime
Glassworm Group: Software Supply-Chain Attackers Disrupted
Suspected Russian Crime Group Built Resilient Command-and-Control Infrastructure
Mathew J. Schwartz (euroinfosec) • May 27, 2026
Credit Eligible
Get Permission
Image: Shutterstock
Security firms took down a botnet that targeted developers by lacing software packages and extensions in code repositories with a remote access tool dubbed GlasswormRAT.
See Also: Why Cyberattackers Love 'Living Off the Land'
The joint disruption on Tuesday involved the efforts of CrowdStrike, Google and Shadowserver Foundation, a non-profit cybersecurity organization.
"We struck all four of Glassworm's command-and-control channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads," CrowdStrike said.
Researchers said the four channels involved the Solana blockchain, into which the group hardcoded C2 server addresses as memo fields in blockchain transactions, configuration data in hardcoded public keys accessible through the BitTorrent peer-to-peer network, Google Calendar event titles with lists of C2 addresses and virtual private servers being used to deliver the group's malicious payloads.
The combination of blockchain, peer-to-peer and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting C2 servers behind multiple layers of indirection, researchers said.
How long the disruption might hold isn't clear, not least because the operators haven't been arrested. Many past disruptions of botnets or other malicious infrastructure have been short-lived, so long as their perpetrators aren't behind bars.
The disruption comes amid a spate of supply-chain attacks targeting the software repositories, many of which appear to be poorly defended. "The barrier to poisoning a package or extension is low; the potential blast radius is enormous," CrowdStrike said (see: GitHub Hacked, Internal Repositories Offered for Sale).
Since at least early 2025, the group behind Glassworm has launched supply-chain attacks against Microsoft's Visual Studio Code Marketplace as well as Open VSX, a vendor-neutral and open-source alternative to VS Code hosted by the Eclipse Foundation. Many of these attacks use a remote access Trojan built using the JavaScript runtime environment node.js, which CrowdStrike tracks as GlasswormRAT.
The group has so far also poisoned more than 300 GitHub repositories tied to software that runs on Windows, Mac and Linux systems, "using stolen developer credentials harvested from earlier Glassworm infections, with malicious code force-pushed into default branches," CrowdStrike said.
Providing a clue to the developer's location, the group's payloads are designed to not execute on any system set to use Russian or Russian-adjacent languages such as Ukrainian, Kazakh or Belarusian. The code also includes Russian-language comments.
After infecting a system, the group's malicious payloads target browser cookies, browsing history, cryptocurrency wallets, Apple Notes databases, VPN configuration files, the contents of Desktop, Documents and Downloads folders, as well as many different kinds of developer credentials, including for GitHub Actions, said software supply-chain defense platform Socket.
Name aside, Glassworm has yet to use a worm in any of its attacks. The group's malware can hop between systems, but it isn't "self-replicating in the traditional sense," but instead involves "stealing credentials and abusing publishing access" to extend its reach, Socket said.
The glass reference also isn't quite accurate. "The 'glass' aspect originally pointed to invisible character tricks, but recent iterations rely more on encrypted, staged loaders than on being visually undetectable," Socket said.
To identify if a system has been compromised by Glassworm, CrowdStrike offered this post-disruption indicator of compromise: "All Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88.210. Organizations should review network logs and endpoint telemetry for connections to this address. Any match indicates a Glassworm infection that requires immediate remediation," it said.
Glassworm is one of a number of groups that specialize in open-source software supply-chain attacks.
One major player is TeamPCP, which has unleashed multiple waves of the self-replicating npm worm Shai-Hulud to infect projects on Microsoft GitHub, the npm package manager for the JavaScript programming language that's owned by GitHub and Python programming language software repository Python Package Index, aka PyPI.
In one attack, the group uploaded two malicious versions of the artificial intelligence routing library LiteLLM to PyPI. In another attack, the group breached Trivy, a popular open-source scanning tool developed by Aqua Security. Using credentials stolen in that attack, the group appeared to successfully clone over 300 Cisco source code repositories from Microsoft-owned GitHub (see: Backdooring of JavaScript Library Axios Tied to North Korea).
The group recently released an open-source version of its worm, which has led to copycat attacks.