Glassworm botnet that targeted OS devs smashed to pieces
CrowdStrike, Google and the Shadowserver Foundation worked together to take down a botnet that poisoned over 300 GitHub repositories, risking widespread supply chain compromise
The Glassworm botnet that weaponised trusted developer tools and turned them on the open source community to poison hundreds of GitHub repositories with malicious code has been knocked out in a coordinated operation by CrowdStrike, Google and the Shadowserver Foundation.
The takedown, which occurred on the afternoon of 26 May, saw all of Glassworm’s command and control (C2) channels struck simultaneously, cutting its operators off from their army of bots and halting their ability to deliver new malicious payloads.
“This takedown matters beyond the botnet,” CrowdStrike’s Counter Adversary Operations Team said in a blog detailing the operation.
“Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organisation that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them.”
For almost 18 months, the operators of Glassworm systematically targeted developers with access to source code repositiories, cloud platforms, continuous integration and deployment/delivery (CI/DC) pipelines and package registries.
Such individuals are “uniquely high-value targets”, said CrowdStrike, because in compromising a single open source developer’s workstation, Glassworm’s operators could – in the right circumstances – orchestrate a major supply chain compromise, opening up access to thousands of downstream user organisations and exposing them to compromise and, potentially, data theft and extortion.
The team did not attribute any publicly known supply chain incidents to Glassworm.
Extensive campaign
The botnet’s operators conducted an extensive and multifaceted campaign in which they published trojanised VSCode extensions to the OpenVSX marketplace disguised as useful tools such as time trackers or code formatters. Besides the VSCode editor, these extensions also targeted tools such as Cursor, Positron, Windsurf and VSCodium.
They also used compromised npm and Python packages to introduce malicious code during post-install hooks and setup scripts, and – using stolen developer credentials from earlier infections – were able to push malicious code into at least 300 GitHub repositories.
The operation targeted Windows, Linux and MacOS environments, with several end goals in mind, spanning data and credential theft and the delivery of a full-featured Node.js remote access trojan (RAT) dubbed GlasswormRAT.
In its post-mortem, CrowdStrike detailed how Glassworm’s operators built a resilient, four-channel architecture designed to resist takedown efforts. They exploited the Solana blockchain to create an immutable dead-drop of C2 server addresses, a BitTorrent Distributed Hash Table (DHT) to store configuration data against hardcoded public keys, Google Calendar as another dead-drop for Base62-encoded C2 paths, and traditional C2 servers hosted on commercial virtual private server (VPS) services to deliver their payload.
CrowdStrike said this combo of blockchain, peer-to-peer and legitimate web services as resolution layers enabled Glassworm to present a dynamic front to protect its infrastructure with multiple layers of protection, and this meant the takedown itself needed to be highly precise, and perfectly timed, as to take down only one channel would have allowed the operators to get back on their feet quickly.
Model for open source security
According to the CrowdStrike team, the takedown establishes a model for approaching supply chain threats. The sophisticated, well-resourced and persistent operators of Glassworm were continuously evolving their capabilities and – left unchecked – posed an ongoing risk across multiple sectors.
It said the takedown proved that proactive disruption is achievable against such resilient threat actors with precision strikes that target technical dependencies they can’t easily replace, as well as the value of cross-sector collaboration.
At the time of writing, all Glassworm-infected machines are now beaconing to a benign IP address – 164.92.88[.]210 – which is held by CrowdStrike, giving victims the opportunity to detect and remediate any compromise by reviewing network logs and endpoint telemetry.
This said, detection and remediation alone is not enough. With dozens of package ecosystems in widespread use, containing millions of packages and limited built-in security controls, the risk of compromise remains high. Malicious packages can be installed through dependency updates pretty much instantaneously, and it is hard to detect anything is wrong until the damage has been done. Moreover, the potential blast radius of an incident is immense.
Threat actors such as the Glassworm gang also know all of this, and CrowdStrike said this proved why ongoing efforts to secure open source supply chains must go hand-in-hand with an aggressive posture against those seeking to infiltrate them.
“As long as developer environments, build pipelines and code repositories remain under-protected, every organisation that consumes software inherits the risk of everyone who produces it,” the team wrote.
“The security community – vendors, law enforcement agencies, platform operators and the open-source ecosystem – must respond with equal determination. We need more operations and coordinated disruptions like this one. CrowdStrike is committed to taking the fight to the adversaries.”
Read more about open source security
- Security testing enables companies to discover and remediate vulnerabilities and weaknesses in apps before malicious actors find them.
- Microsoft is to offer bug bounty awards for people who report security vulnerabilities in third-party and open source software impacting its services.
- Open source underpins enterprise systems, but weak funding and maintainer strain threaten stability. IT leaders must assess project health, not just security, to reduce risk.
