THE GlassWorm botnet, targeting the open-source software ecosystem, has been disrupted by CrowdStrike in collaboration with Google and the Shadowserver Foundation. This operation dismantled four command-and-control (C&C) channels utilized by the botnet, which ingeniously employed the Solana blockchain alongside Google Calendar and BitTorrent for resilient C&C infrastructure.
First identified in October 2025, GlassWorm used innovative techniques to hide its code, distributing itself through compromised Visual Studio extensions and affecting various programming communities. It is designed to steal sensitive information and operates SOCKS proxy servers for remote access. CrowdStrike suggests that the attacker's origins are likely Russian, as the malware avoids infecting systems in CIS countries.
This incident underscores the evolving threat landscape where attackers increasingly target software developers rather than just their outputs, prompting organizations to reinforce security in development environments as a critical measure against future risks.