CrowdStrike and Google dismantle Glassworm botnet targeting open-source supply chain
The takedown of the Glassworm network marks a significant intervention in a two-year campaign that exploited developer trust to compromise downstream organisations, following a series of high-profile attacks on the software development sector.
CrowdStrike, in collaboration with Google and the nonprofit internet monitoring organisation Shadowserver, has dismantled the Glassworm botnet, a cybercriminal network that spent two years targeting the open-source software supply chain. The operation successfully disrupted four distinct command-and-control channels, halting efforts to infect software projects with malware and steal credentials from developers.
The botnet compromised more than 300 GitHub repositories by employing a diverse array of tactics. These strategies included publishing malicious extensions on developer marketplaces, utilising malvertising through sponsored search results, and hijacking developer accounts using previously stolen credentials. By poisoning code hosted on platforms like GitHub, the attackers exploited the inherent trust companies place in open-source tools and the workers who maintain them.
According to CrowdStrike, the infrastructure relied on a complex mix of technologies to maintain communication with infected systems. The command-and-control channels utilised the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers. Disrupting these channels cut the hackers’ access to infected computers and prevented the delivery of further malicious updates.
The significance of the takedown lies in the potential scale of the damage. CrowdStrike noted that compromising a single developer’s workstation can cascade into a supply-chain compromise, impacting thousands of downstream organisations and users. By targeting the developers who build the software rather than just the products themselves, adversaries have created a high-value vector for widespread disruption.
This intervention follows a recent surge in attacks against the open-source community. Last week, a hacking campaign dubbed “Mini Shai-Hulud” compromised several open-source projects and an OpenAI developer. Earlier in March, a suspected North Korean hacker hijacked the popular development tool Axios, which is used by millions of developers globally.
While the technical execution of the takedown has been confirmed, the legal framework remains opaque. It is not clear on what legal or technical authority CrowdStrike and its partners operated under to dismantle the operation. A spokesperson for CrowdStrike did not immediately comment on the basis for the action.
