‘Adversaries are no longer just targeting products, they’re targeting the developers who build them’: CrowdStrike Takes Down Large Botnets Targeting Developers Worldwide

CrowdStrike, Google and Shadowserver jointly dismantled the Glassworm botnet on May 26, 2026 by disrupting all four of its resilient C2 channels simultaneously
Active since early 2025, Glassworm spread via trojanized VSCode extensions, poisoned npm/Python packages and compromised GitHub repos, stole developer credentials and deployed GlasswormRAT across Windows, macOS and Linux
The removal highlights a shift in threat focus from products to developers with the coordinated precision required to neutralize its blockchain, BitTorrent DHT, Google Calendar and VPS-based infrastructure

Cybersecurity researchers from CrowdStrike, Google and the Shadowsever Foundation have teamed up to take down a large botnet targeting software developers worldwide.

In an announcement on May 26, 2026, the company said the task force shut down the Glassworm botnet by simultaneously disrupting all four of its C2 channels.

Glasorm is a global botnet, active since at least early 2025, and operated by well-calculated, persistent criminals likely based in Russia. It specifically targeted software developers throughout the open source supply chain, mostly because of what they have access to: source code repositories, cloud platforms, CI/CD pipelines, and package registries.

Slaying the Immortals

“This takedown means something beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for any organization that ships or uses software,” explained CrowdStrike. “Adversaries are no longer just targeting products, they are targeting the developers who build them.”

The botnet propagated through trojanized VSCode extensions, malicious code crept into npm and Python packages, and poisoned GitHub repositories (at least 300 of them). The malware performed information theft, credential harvesting (GitHub tokens, npm tokens, SSH keys, VSCode authentication) and deployed a full-featured remote access tool called GlasswormRAT that affects Windows, macOS, and Linux systems.

The botnet’s C2 architecture used four channels: Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS servers—all of which were designed to resist conventional takedown efforts. This combination earned Glassworm the nickname ‘the immortal botnet’ and justified the “precision and timing” of the takedown.

“By removing just one channel, the others would have been operational, allowing operators to quickly reconstitute,” CrowdStrike explained. “All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.