CrowdStrike’s report on the Glassworm takedown lands like a supply chain horror story: one botnet, two years, more than 300 GitHub repositories poisoned. On May 26, CrowdStrike’s Counter Adversary Operations team, working alongside Google and the Shadowserver Foundation, severed all four of Glassworm’s command-and-control channels simultaneously.
The group didn’t go after companies directly. It targeted the developers who write their code. Glassworm published trojanized extensions on the OpenVSX marketplace, ran malvertising campaigns to intercept developer search queries, and used stolen credentials to hijack developer accounts, force-pushing malicious code into repositories. “Compromising a single developer’s workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users,” CrowdStrike wrote.
The C2 infrastructure was built to outlast takedown attempts. Glassworm encoded server addresses in Solana blockchain transaction memo fields, queried the BitTorrent peer-to-peer network for configuration data, and hid base64-encoded C2 paths in Google Calendar event titles. All four channels had to fall simultaneously for the disruption to hold.
The common thread across recent supply chain campaigns is open-source maintainer credentials. The North Korea-nexus group that compromised Axios in March exploited the same attack surface: one hijacked npm publisher account put roughly 100 million weekly downloads at risk. Two campaigns, different actors, same weak link. I read both reports this week; they’re telling the same credential story.
Worth auditing your team’s VSCode extension inventory and npm publish credentials this quarter.
— Rebecca Lauren