CrowdStrike, Google, and Shadowserver Team Up to Take Down Glassworm Botnet Targeting Developers
A collaborative effort between tech giants brought down a botnet used by hackers to target open-source software developers. Here's how it worked.
Admin User

Imagine your code being compromised while you sleep. That’s the nightmare that faced many developers in recent years due to the Glassworm botnet, which has been active for two years. Now, thanks to a joint operation by CrowdStrike, Google, and Shadowserver, this threat is no longer looming over the open-source community.
Who are these hackers?
The hackers behind Glassworm have been quietly targeting developers of open-source software for an entire two years. Their strategy involved everything from pushing malicious extensions through marketplaces used by developers to using stolen credentials to hijack accounts and plant malware.
How did they operate?
The hackers used a variety of tactics, including:
- Publishing harmful extensions on developer marketplaces
- Malvertising – tricking users into downloading malware through sponsored search results
- Hijacking developer accounts using stolen credentials to insert malicious code in repositories
As a result, over 300 GitHub code repositories became infected.
The Takedown Operation
CrowdStrike, working alongside Google and Shadowserver, managed to disrupt the Glassworm operation by taking down four critical command-and-control channels. These servers relied on various methods including Solana blockchain, BitTorrent peer-to-peer network, Google Calendar, and virtual private servers.
This move significantly curtailed the hackers' ability to deliver more malware and control infected computers.
What Does This Mean for Developers?
The incident highlights a growing trend where cybercriminals target developers directly, making them unique high-value targets. Compromising one developer’s workstation can lead to widespread supply-chain compromises impacting thousands of downstream organizations and users.
For more information or to share insights, contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, Telegram, Keybase, and Wire @lorenzofb, or via email.


