- 950
- 252
Representatives from CrowdStrike, Google, and the Shadowserver Foundation conducted a joint operation targeting the Glassworm botnet infrastructure. Researchers simultaneously disabled all botnet communication channels—from the Solana blockchain and BitTorrent DHT to Google Calendar and traditional VPS. As a result, infected machines can no longer receive commands from the malware operators. Glassworm
emerged last year and quickly became one of the most prominent threats to developers. Hackers distributed malicious extensions for Visual Studio Code via OpenVSX and the Microsoft Marketplace, infected npm and Python packages, and compromised GitHub repositories. The primary goals of these attacks were to obtain developer credentials, cryptocurrency wallet information, and access supply chains. Glassworm operators were particularly active in attacking the ecosystem of VS Code forks—Cursor, Windsurf, Positron, and VSCodium. For example, in March 2026, one campaign affected over 400 repositories and extensions, and later, the attackers placed dozens of "dormant" extensions in OpenVSX, where the malicious code was activated only after an update. Security experts identified the unusual architecture of the command and control servers as the main feature of Glassworm. Instead of a standard C2, the attackers created a multi-layered infrastructure resistant to blocking and shutdowns. Specifically, the addresses of the command and control servers were stored directly in the memo fields of Solana transactions. Furthermore, the malware used BitTorrent DHT to obtain configurations via hardcoded public keys. Google Calendar served as another channel: the malware read Base64-encoded C&C addresses from event names. Only in the final stage were regular VPS servers used to deliver the payload. As CrowdStrike specialists note, disabling one of these channels would have achieved virtually nothing, as the botnet would simply switch to another communication method. Therefore, the researchers had to simultaneously neutralize the entire Glassworm infrastructure. After the operation, all infected systems began accessing the IP address 164.92.88[.]210, which is controlled by CrowdStrike. The company recommends that administrators check network activity for this indicator of compromise and immediately isolate compromised systems. The researchers also added YARA rules to their report for scanning for infections.
emerged last year and quickly became one of the most prominent threats to developers. Hackers distributed malicious extensions for Visual Studio Code via OpenVSX and the Microsoft Marketplace, infected npm and Python packages, and compromised GitHub repositories. The primary goals of these attacks were to obtain developer credentials, cryptocurrency wallet information, and access supply chains. Glassworm operators were particularly active in attacking the ecosystem of VS Code forks—Cursor, Windsurf, Positron, and VSCodium. For example, in March 2026, one campaign affected over 400 repositories and extensions, and later, the attackers placed dozens of "dormant" extensions in OpenVSX, where the malicious code was activated only after an update. Security experts identified the unusual architecture of the command and control servers as the main feature of Glassworm. Instead of a standard C2, the attackers created a multi-layered infrastructure resistant to blocking and shutdowns. Specifically, the addresses of the command and control servers were stored directly in the memo fields of Solana transactions. Furthermore, the malware used BitTorrent DHT to obtain configurations via hardcoded public keys. Google Calendar served as another channel: the malware read Base64-encoded C&C addresses from event names. Only in the final stage were regular VPS servers used to deliver the payload. As CrowdStrike specialists note, disabling one of these channels would have achieved virtually nothing, as the botnet would simply switch to another communication method. Therefore, the researchers had to simultaneously neutralize the entire Glassworm infrastructure. After the operation, all infected systems began accessing the IP address 164.92.88[.]210, which is controlled by CrowdStrike. The company recommends that administrators check network activity for this indicator of compromise and immediately isolate compromised systems. The researchers also added YARA rules to their report for scanning for infections.