The CrowdStrike-led takedown, conducted alongside Google and the Shadowserver Foundation, disrupted infrastructure linked to the campaign that had poisoned hundreds of repositories with malicious packages targeting developers.
A day after the takedown, in an independent development, the OSV database withdrew 157 malware reports after maintainers determined the submissions were likely automated false positives.
Takedowns help, but analysts question long-term impact
The takedown happened on May 26, at 14:00 UTC, with CrowdStrike confirming the operation to have struck down “all four of GlassWorm’s command-and-control (C2) channels simultaneously”. This reportedly helped sever the botnet operators from their infected machines, blocking them from pushing out new malware.
CrowdStrike described the GlassWorm operation as targeting infrastructure used to distribute malware through developer-focused repositories, an increasingly popular attack vector as adversaries chase CI/CD access, developer credentials, and downstream enterprise environments.
