CrowdStrike, alongside Google and the Shadowserver Foundation, has executed a strategic takedown of the command-and-control (C2) channels linked to GlassWorm, a malware campaign that has been targeting software developers through deceptive packages and extensions. This collective action has effectively disrupted the infrastructure supporting this persistent threat.
Targeting Software Developers
Since early 2025, the operators of GlassWorm have systematically attacked software developers, exploiting their access to source code repositories, cloud services, and CI/CD pipelines. This development highlights the growing threat of software supply chain attacks, where a single compromised developer workstation can have widespread repercussions across numerous organizations and users.
GlassWorm’s tactics involved deploying Trojan-laden VS Code extensions on platforms like Microsoft VS Code Marketplace and Open VSX. This enabled them to target users of various VS Code forks, including Cursor, Positron, Windsurf, and VSCodium. Additionally, the campaign infiltrated npm and Python packages, aiming to deliver a data-stealing framework capable of harvesting credentials, cryptocurrency wallets, and profiling systems.
Advanced Malware Techniques
In its evolution, GlassWorm introduced a Websocket-based JavaScript RAT, known as GlassWormRAT, to extract web browser data and execute arbitrary code. One method involved installing a Google Chrome extension to gather sensitive information such as screenshots, keystrokes, and clipboard data from compromised systems.
According to Endor Labs researcher Kiran Raj, the malware actively searches for developer credentials to facilitate further breaches of repositories and package uploads. Infected machines are then converted into covert infrastructures, such as SOCKS proxies and hidden VNC servers, providing attackers with anonymized network access and a platform for further attacks.
Impact and Ongoing Risks
The malicious operations are estimated to have compromised over 300 GitHub repositories using stolen credentials. Notably, GlassWorm utilized four different C2 channels to enhance its resilience against takedowns, integrating blockchain, peer-to-peer, and legitimate web services to obscure the actual C2 servers.
This coordinated takedown has neutralized all four channels, preventing further instructions or payloads from reaching infected systems. Despite this success, the threat posed by well-resourced operators, likely based in Russia, remains significant, as their malware avoids execution in systems within the Commonwealth of Independent States (CIS) regions and contains Russian language comments.
CrowdStrike emphasizes the critical nature of the software supply chain as a target for cyber adversaries. The ease of compromising a package or extension poses a substantial risk, with the potential for widespread impact. As developer environments and build pipelines remain vulnerable, organizations consuming software inherit the risks of those producing it. The GlassWorm campaign underscores the need for robust protections to prevent persistent threats to developer ecosystems.
