CrowdStrike, Google, and nonprofit cybersecurity organization Shadowserver have successfully dismantled a sophisticated botnet that cybercriminals used to steal passwords and distribute malware to open source software developers. The operation targeted the so-called Glassworm botnet, which had been actively compromising the software supply chain for two years.
The takedown comes as supply chain attacks have become one of the most serious threats facing the tech industry. By targeting developers and their code repositories, hackers can potentially reach thousands of downstream organizations and users through a single compromise. This approach exploits the inherent trust that companies place in open source code hosted on platforms like GitHub.
“Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike wrote in its report about the takedown operation. “Developers represent uniquely high-value targets: compromising a single developer’s workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users.”
The Glassworm hackers employed multiple attack vectors to distribute their malicious code. Their tactics included publishing malicious extensions on developer marketplaces, using malvertising campaigns that tricked victims into downloading malware through sponsored search results, and leveraging stolen credentials from previous breaches to hijack developer accounts and inject malware into legitimate code repositories.
The campaign’s scope was significant. CrowdStrike researchers found that the hackers had successfully “poisoned” more than 300 GitHub code repositories with malicious code. This contamination could have affected countless software projects and the organizations that rely on them.
The takedown operation focused on disrupting four command-and-control channels that the Glassworm hackers used to communicate with infected computers and deliver additional malware. These servers operated across diverse infrastructure, including:
- The Solana blockchain network
- BitTorrent peer-to-peer systems
- Google Calendar
- Virtual private servers
By severing these communication channels, the security firms effectively cut off the hackers’ access to their network of compromised machines and prevented them from launching further attacks.
The technical and legal basis for the takedown operation remains unclear. When contacted for additional details about the authority under which they operated, CrowdStrike spokesperson Kirsten Speas declined to provide further information beyond the company’s public blog post.
This operation highlights the growing threat that supply chain attacks pose to the software ecosystem. Just last week, a separate hacking campaign called “Mini Shai-Hulud” compromised several open source projects and pushed out malicious updates, affecting at least two OpenAI developers. In March, suspected North Korean hackers successfully hijacked Axios, a popular open source development tool used by millions of developers worldwide.
The increasing frequency and sophistication of these attacks underscore why the security community considers supply chain compromises among the most dangerous cyber threats facing organizations today. Unlike traditional attacks that target individual companies, supply chain attacks can create cascading effects that impact entire ecosystems of software users and developers.