The Glassworm botnet that weaponised trusted developer tools and turned them on the open source community to poison hundreds of GitHub repositories with malicious code has been knocked out in a coordinated operation by CrowdStrike, Google and the Shadowserver Foundation.
The takedown, which occurred on the afternoon of 26 May, saw all of Glassworm’s command and control (C2) channels struck simultaneously, cutting its operators off from their army of bots and halting their ability to deliver new malicious payloads.
“When threat actors operate from jurisdictions where law enforcement cooperation is limited or nonexistent, disruption becomes one of the most effective tools available. If you can’t put handcuffs on the operator, you focus on dismantling the infrastructure, trust relationships, and operational dependencies. The most effective operations are layered: CrowdStrike struck all four of Glassworm’s command-and-control channels simultaneously – blockchain, peer-to-peer, and legitimate web services – taking down the connective tissue of the operation to create cascading operational pain. This forces the adversary to rebuild, while exposing tradecraft,” said Adam Meyers, head of counter adversary operations at CrowdStrike.
CrowdStrike’s Counter Adversary Operations Team said In a blog detailing the operation, CrowdStrike’s Counter Adversary Operations Team said the takedown went much further than dismantling a mere botnet, as Glassworm had marked a significant shift in the threat landscape in that it demonstrated how adversaries are no longer simply targeting products but rather the humans who build them.
Indeed, for almost 18 months, the operators of Glassworm systematically targeted developers with access to source code repositiories, cloud platforms, continuous integration and deployment/delivery (CI/DC) pipelines and package registries.
Such individuals are “uniquely high-value targets”, said CrowdStrike, because in compromising a single open source developer’s workstation, Glassworm’s operators could – in the right circumstances – orchestrate a major supply chain compromise, opening up access to thousands of downstream user organisations and exposing them to compromise and, potentially, data theft and extortion.
The team did not attribute any publicly known supply chain incidents to Glassworm.
Extensive campaign
The botnet’s operators conducted an extensive and multifaceted campaign in which they published trojanised VSCode extensions to the OpenVSX marketplace disguised as useful tools such as time trackers or code formatters. Besides the VSCode editor, these extensions also targeted tools such as Cursor, Positron, Windsurf and VSCodium.
They also used compromised npm and Python packages to introduce malicious code during post-install hooks and setup scripts, and – using stolen developer credentials from earlier infections – were able to push malicious code into at least 300 GitHub repositories.
The operation targeted Windows, Linux and MacOS environments, with several end goals in mind, spanning data and credential theft and the delivery of a full-featured Node.js remote access trojan (RAT) dubbed GlasswormRAT.
In its post-mortem, CrowdStrike detailed how Glassworm’s operators built their resilient, four-channel architecture specifically to resist takedown efforts. The cyber gangsters exploited the Solana blockchain to create an immutable dead-drop of C2 server addresses, a BitTorrent Distributed Hash Table (DHT) to store configuration data against hardcoded public keys, Google Calendar as another dead-drop for Base62-encoded C2 paths, and traditional C2 servers hosted on commercial virtual private server (VPS) services to deliver their payload.
CrowdStrike said this combo of blockchain, peer-to-peer and legitimate web services as resolution layers enabled Glassworm to present a dynamic front to protect its infrastructure with multiple layers of protection, and this meant the takedown itself needed to be highly precise, and perfectly timed, as to take down only one channel would have allowed the operators to get back on their feet quickly.
Model for open source security
According to the CrowdStrike team, the takedown establishes a model for approaching supply chain threats. The sophisticated, well-resourced and persistent operators of Glassworm were continuously evolving their capabilities and – left unchecked – posed an ongoing risk across multiple sectors.
It said the takedown proved that proactive disruption is achievable against such resilient threat actors with precision strikes that target technical dependencies they can’t easily replace, as well as the value of cross-sector collaboration.
At the time of writing, all Glassworm-infected machines are now beaconing to a benign IP address – 164.92.88[.]210 – which is held by CrowdStrike, giving victims the opportunity to detect and remediate any compromise by reviewing network logs and endpoint telemetry.
This said, detection and remediation alone is not enough. With dozens of package ecosystems in widespread use, containing millions of packages and limited built-in security controls, the risk of compromise remains high. Malicious packages can be installed through dependency updates pretty much instantaneously, and it is hard to detect anything is wrong until the damage has been done. Moreover, the potential blast radius of an incident is immense.
Threat actors such as the Glassworm gang also know all of this, and CrowdStrike said this proved why ongoing efforts to secure open source supply chains must go hand-in-hand with an aggressive posture against those seeking to infiltrate them.
“As long as developer environments, build pipelines and code repositories remain under-protected, every organisation that consumes software inherits the risk of everyone who produces it,” the team wrote.
“The security community – vendors, law enforcement agencies, platform operators and the open-source ecosystem – must respond with equal determination. We need more operations and coordinated disruptions like this one. CrowdStrike is committed to taking the fight to the adversaries.”
