{"id":8682,"date":"2026-05-27T08:35:14","date_gmt":"2026-05-27T13:35:14","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89168"},"modified":"2026-05-27T08:35:14","modified_gmt":"2026-05-27T13:35:14","slug":"crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/05\/27\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain\/","title":{"rendered":"CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v24.5 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ --> <title>CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain | CyberScoop<\/title> <meta name=\"description\" content=\"CrowdStrike, Google, and Shadowserver have dismantled the Glassworm botnet, severing infrastructure used to target the open-source software supply chain.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/crowdstrike-glassworm-botnet-takedown\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain\"> <meta property=\"og:description\" content=\"CrowdStrike, Google, and Shadowserver have dismantled the Glassworm botnet, severing infrastructure used to target the open-source software supply chain.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/crowdstrike-glassworm-botnet-takedown\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-05-27T13:35:14+00:00\"> <meta property=\"article:modified_time\" content=\"2026-05-27T13:35:17+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1024\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1779818961g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89168\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89168\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcrowdstrike-glassworm-botnet-takedown%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcrowdstrike-glassworm-botnet-takedown%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89168 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/crowdstrike-glassworm-botnet-takedown\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \">\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"341\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain.jpg?resize=640%2C341&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"botnet, attack, ddos, red team, mykings\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=300,160 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=768,410 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=1024,546 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=1536,819 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=600,320 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=1200,640 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-2.jpg?resize=1500,800 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"53.014769765421\"><body readability=\"106.9330698938\"><\/p>\n<p>CrowdStrike has <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/inside-crowdstrike-takedown-of-a-developer-targeting-botnet\/\">dismantled the Glassworm botnet<\/a> in an operation aided by Google and Shadowserver, stripping the operators\u2019 access to infrastructure that helped threat actors infect hundreds of pieces of open-source software with malware since early 2025, the company said Tuesday.&nbsp;<\/p>\n<p>The coordinated effort involved the simultaneous takedown of four attacker-controlled servers that were designed to obscure the botnet\u2019s operations and remain resilient against disruptions.<\/p>\n<p>CrowdStrike and partners took down infrastructure, severed access to the botnet\u2019s most critical services, impeded operation momentum and slowed the attackers\u2019 ability to scale, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop.<\/p>\n<p>\u201cThe broader goal is sustained pressure that forces the adversary to spend time, resources, and operational energy reconstituting infrastructure instead of targeting victims,\u201d Meyers added. \u201cBy exposing tradecraft and sharing intelligence, defenders can harden developer environments, CI\/CD pipelines, and software supply chains against similar activity. That raises the operating cost for the adversary and gives defenders an advantage.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Glassworm has targeted software developers in order to access source code repositories, cloud platforms, integration and delivery processes, and open-source package registries to push malware into the supply chain and trigger compromises downstream.&nbsp;<\/p>\n<p>The threat group behind the botnet, which is likely based in Russia, according to CrowdStrike, fed malware into VSCode extensions, npm and Python packages and more than 300 GitHub repositories, researchers said.&nbsp;<\/p>\n<p>Glassworm affected Windows, macOS and Linux systems with data and credential theft, and a remote-access tool called GlasswormRAT.<\/p>\n<p>\u201cWhat stood out about Glassworm was the operational sophistication around propagation and automation,\u201d Meyers said. \u201cThis wasn\u2019t just a smash-and-grab compromise of a package repository. The operation was designed to move through trusted developer workflows in a way that could expand reach very quickly if left unchecked.\u201d<\/p>\n<p>The botnet relied on four layered channels that CrowdStrike disrupted, including the Solana blockchain, BitTorrent\u2019s peer-to-peer network, Google Calendar and virtual private servers hosted by commercial providers.&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAs part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,\u201d John Hultquist, chief analyst at Google Threat Intelligence Group, said in a <a href=\"https:\/\/x.com\/JohnHultquist\/status\/2059343275467640933?s=20\">post on X<\/a>.<\/p>\n<p>The countermeasures took down \u201cthe connective tissue of the operation to create cascading operational pain,\u201d Meyers said. \u201cThis forces the adversary to rebuild, while exposing tradecraft.\u201d<\/p>\n<p>CrowdStrike said the takedown demonstrates how the security industry can effectively thwart supply-chain threats by proactively disrupting the precise infrastructure attackers use without waiting for lengthy judicial processes.&nbsp;<\/p>\n<p>\u201cWhen threat actors operate from jurisdictions where law enforcement cooperation is limited or nonexistent, disruption becomes one of the most effective tools available. If you can\u2019t put handcuffs on the operator, you focus on dismantling the infrastructure, trust relationships, and operational dependencies,\u201d Meyers added.&nbsp;<\/p>\n<p>The security company shared indicators of compromise to help organizations hunt for potential infections in their environments and called for other vendors, law enforcement agencies, platform operators and the open-source ecosystem to muster equal determination in responding to threats in the software supply chain.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe more visibility and alignment you create across the ecosystem, the harder it becomes for the actor to quietly stand the operation back up,\u201d Meyers said. \u201cYou may not eliminate the threat actor entirely, but you can absolutely reduce effectiveness, limit reach, and raise the cost of doing business.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.1425992779783\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/crowdstrike-disrupts-glassworm-botnet-that-preyed-on-open-source-supply-chain-1.jpg?w=640&#038;ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News &amp; World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/crowdstrike-glassworm-botnet-takedown\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3470,2350,282,6711,387,2880,288],"tags":[3474,2354,286,6712,391,2882,294],"class_list":["post-8682","post","type-post","status-publish","format-standard","hentry","category-botnet","category-crowdstrike","category-cybercrime","category-glassworm","category-google","category-shadowserver","category-threats","tag-botnet","tag-crowdstrike","tag-cybercrime","tag-glassworm","tag-google","tag-shadowserver","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/botnet\/\" rel=\"category tag\">botnet<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/glassworm\/\" rel=\"category tag\">Glassworm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shadowserver\/\" rel=\"category tag\">Shadowserver<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8682"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8682\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}