ON May 26, 2026, cybersecurity firms, including CrowdStrike and Google, coordinated a simultaneous takedown of the Glassworm botnet, which had been infecting software developers since early 2025 through malicious developer tools. The group utilized innovative tactics like encoding server addresses in the Solana blockchain, making their operation resilient against traditional takedowns.
Glassworm targeted various software ecosystems, including GitHub and npm, using a variety of methods, including compromised browser extensions and poisoned GitHub repositories. The malware, GlasswormRAT, was capable of stealing sensitive credentials and draining cryptocurrency wallets. The operation highlighted the ongoing risks posed by supply chain attacks affecting software developers and organizations relying on compromised software. While the takedown provided temporary relief, it underscored the need for better security in package ecosystems.