How Google and CrowdStrike Cracked Down on Glassworm Botnet

Technologymagazine · May 28, 2026 · 605 words · By Rithula Nisha

Software Supply Chain Vulnerability Cybersecurity Collaboration State-sponsored Cybercrime

headphones Listen to the eFinder podcast briefing

Ready to play

Daily briefing

What to know about Software Supply Chain Vulnerability

Google, CrowdStrike, and the Shadowserver Foundation collaborated to dismantle the Glassworm botnet, which targeted software developers through compromised IDE extensions and packages. The botnet utilized a resilient, decentralized infrastructure involving the Solana blockchain, BitTorrent, and Google Calendar to maintain command and control.

Propaganda risk 20%

Claims checked 13

Techniques found 1

Topics 3

Coverage spectrum

Coverage gap: Low Left coverage

Left0%

Center80%

Right20%

5 sources compared across this story cluster. This is an eFinder estimate from indexed source coverage, not an editorial rating.

What happened

How Google and CrowdStrike Cracked Down on Glassworm Botnet The takedown of the Glassworm botnet could provide some relief for developers in this year plagued with software supply chain attacks.

Why it matters

This week, CrowdStrike dismantled a global botnet designed to withstand traditional takedown efforts, through a combined operation with Google and the Shadowserver Foundation.

Common ground

The firm's Counter Adversary Operations team led the operation targeting the stubborn malware infrastructure that used four separate command and control channels – designed to remain active even if parts of the network were disabled.

Perspective signals

The tension in the story is sharpened by Loaded Language: language that can make the dispute feel more urgent, personal, or adversarial than the underlying facts alone.

Follow-up questions

What new context would change how readers understand this Software Supply Chain Vulnerability story?
What evidence would most clearly confirm or weaken the claim that Attackers had also compromised npm and Python packages, introducing malicious code through post-install hooks and set-up scripts?
How does this story connect Software Supply Chain Vulnerability with Cybersecurity Collaboration over the next few days?

open_in_new Read the original article: https://technologymagazine.com/news/how-google-and-crowdstrike-cracked-down-on-g…

analyticsAnalysis

20%

Propaganda Score

confidence: 95%

Minor concerns. Some persuasive language detected, but largely factual.

psychologyPropaganda Techniques Detected

eFinder identified 1 propaganda technique in this article. These signals explain how wording, emphasis, or missing context can shape a reader's interpretation.

warning

Loaded Language 80% confidence

Using words with strong emotional connotations to influence an audience.

Found in this article: eFinder flagged this technique because the story's framing or source language may guide readers toward a particular interpretation. Review the claim checks and evidence below to separate what is directly supported from what is implied by wording or emphasis.

Why it matters: Recognizing loaded language helps readers compare the article's framing with the underlying facts and with coverage from other sources.

fact_checkClaims Checked

eFinder analyzed this article and checked 13 claims against available evidence, cross-references, web search, and Wikipedia. Here is what the fact-checking layer found.

info Single Source 4

check_circle Corroborated 4

schedule Pending 3

help Insufficient Evidence 2

info

Claim 1: “Attackers had also compromised npm and Python packages, introducing malicious code through post-install hooks and set-up scripts.”

SINGLE SOURCE

The evidence mentions Glassworm targeting npm and Python packages, but the specific detail regarding 'post-install hooks and set-up scripts' is not explicitly confirmed in the provided snippets.

travel_explore

web search NEUTRAL — 5 days ago · The Phoenix Security Malware Package Intelligence (MPI) corpus covers 59 supply chain attack campaigns from June 2024 through June 2026 and ...
https://phoenix.security/accelerating-supply-chain-attacks-n…

travel_explore

web search NEUTRAL — Mar 18, 2026 · On March 16, 2026, Aikido and StepSecurity reported that two popular React Native npm packages used for phone number input and country ...
https://www.kodemsecurity.com/resources/malicious-react-nati…

travel_explore

web search NEUTRAL — Mar 16, 2026 · On March 16, 2026, StepSecurity Threat Intel was the first to detect and report malicious releases in two popular React Native npm packages ...
https://www.stepsecurity.io/blog/malicious-npm-releases-foun…

check_circle

Claim 2: “CrowdStrike dismantled a global botnet designed to withstand traditional takedown efforts, through a combined operation with Google and the Shadowserver Foundation.”

CORROBORATED

Multiple independent web sources confirm that CrowdStrike, Google, and the Shadowserver Foundation jointly dismantled the Glassworm botnet.

travel_explore

web search NEUTRAL — Google, CrowdStrike take down ‘Glassworm’ Botnet hacking attack targeting software developers. Yesterday. Save for later.
https://news.google.com/stories/CAAqNggKIjBDQklTSGpvSmMzUnZj…

travel_explore

web search NEUTRAL — CrowdStrike, Google, and Shadowserver jointly dismantled the Glassworm botnet on May 26, 2026, by disrupting all four of its resilient C2 channels simultaneously.
https://tech.yahoo.com/cybersecurity/articles/crowdstrike-ta…

travel_explore

web search NEUTRAL — CrowdStrike, Google and the Shadowserver Foundation have dismantled the Glassworm botnet after it weaponised trusted developer tools, npm and Python packages
https://www.opensourceforu.com/2026/05/github-npm-and-python…

schedule

Claim 3: “Google Calendar events and commercial virtual servers were also used by attackers to distribute instructions and payloads to infected machines.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

info

Claim 4: “A Node.js remote access tool called GlasswormRAT was also uncovered.”

SINGLE SOURCE

The evidence mentions the botnet and its capabilities, but does not explicitly name a specific Node.js tool called 'GlasswormRAT'.

travel_explore

web search NEUTRAL — May 27, 2026 · Glassworm infected developers through poisoned tools and packages until a coordinated takedown killed all four of its C2 channels at once.
https://securityaffairs.com/192749/cyber-crime/how-cybersecu…

travel_explore

web search NEUTRAL — May 26, 2026 · Learn how CrowdStrike's Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, which targeted software ...
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-ta…

travel_explore

web search NEUTRAL — May 27, 2026 · The takedown of the Glassworm botnet by CrowdStrike on May 26, 2026, highlights a significant shift in cyber threats, targeting developers ...
https://x.com/rst_cloud/status/2059771327200838105

help

Claim 5: “This botnet, according to CrowdStrike, was operated by criminals based in Russia.”

INSUFFICIENT EVIDENCE

No evidence was found in the provided search results regarding the attribution of the botnet to criminals based in Russia.

schedule

Claim 6: “The GlasswormRAT queried the BitTorrent Distributed Hash Table for hardcoded public keys.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

schedule

Claim 7: “A distributed file sharing system that allows people to share files across the internet called BitTorrent, was also leveraged by threat actors.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 8: “Glassworm operators had been systematically targeting developers since early 2025.”

CORROBORATED

Multiple sources confirm that Glassworm operators had been targeting developers since early 2025.

menu_book

wikipedia NEUTRAL — Open VSX is an open-source registry for extensions compatible with the Visual Studio Code extension API. The project is hosted by the Eclipse Foundation and provides a vendor-neutral alternative to Mi…
https://en.wikipedia.org/wiki/Open_VSX

menu_book

wikipedia NEUTRAL — Chaoborus is a genus of midges in the family Chaoboridae. The larvae are known as glassworms because they are transparent. They can be found commonly in lakes all over the world and can be up to 2 cm …
https://en.wikipedia.org/wiki/Chaoborus

menu_book

wikipedia NEUTRAL — Chaoborus edulis is a species of phantom midges (flies in the family Chaoboridae). Colloquially, the larval stage is termed a glassworm. It is one of the species of insect processed into kunga cakes.
https://en.wikipedia.org/wiki/Chaoborus_edulis

+ 3 more evidence sources

check_circle

Claim 9: “The firm's Counter Adversary Operations team led the operation targeting the stubborn malware infrastructure that used four separate command and control channels”

CORROBORATED

Multiple sources explicitly state that the Glassworm botnet utilized four separate command and control (C2) channels.

travel_explore

web search NEUTRAL — The Glassworm operation uses four separate command and control channels to maintain activity even when parts of the network are disabled. The cybersecurity firm works with Google and the Shadowserver …
https://supplychaindigital.com/news/how-the-glassworm-takedo…

travel_explore

web search NEUTRAL — PrefaceIn a coordinated takedown operation on May 26, 2026, cybersecurity firm CrowdStrike, alongside Google and the Shadowserver Foundation, simultaneously disrupted all four command-and-control (C2)…
https://biggo.com/news/202605271821_CrowdStrike-takes-down-G…

travel_explore

web search NEUTRAL — Glassworm command-and-control architecture source: CrowdStrike. Because of this architecture, disrupting a single channel would have little impact on the Glassworm operation, as communications could s…
https://www.bleepingcomputer.com/news/security/glassworm-bot…

info

Claim 10: “Trojanised VSCode extensions were published on the OpenVSX marketplace, as the extensions hid under the guise of time trackers and code formatters.”

SINGLE SOURCE

While search results mention Glassworm and OpenVSX, the specific details about trojanized extensions disguised as 'time trackers and code formatters' are not explicitly detailed in the provided evidence snippets.

travel_explore

web search NEUTRAL — May 22, 2026 · Github Was Hacked GitHub has officially confirmed the claim of the Hackers' group called TeamPCP. This is how it happened An internal ...
https://www.facebook.com/groups/skillsarewa/posts/2678948560…

travel_explore

web search NEUTRAL — May 28, 2026 · CrowdStrike, Google, and the Shadowserver Foundation jointly dismantled the Glassworm botnet on May 27, 2026, cutting off a supply-chain ...
https://mlq.ai/news/crowdstrike-and-google-dismantle-glasswo…

travel_explore

web search NEUTRAL — Explore the latest news, real-world incidents, expert analysis, and trends in Visual Studio Code — only on The Hacker News, the leading cybersecurity and IT ...
https://thehackernews.com/search/label/Visual+Studio+Code?m=…

info

Claim 11: “Poisoned GitHub repositories added to the campaign, with credentials harvested from earlier Glassworm infections used to force-push and poison more than 300 repositories.”

SINGLE SOURCE

The claim that credentials were used to poison more than 300 repositories is mentioned in the context of GlassWorm's behavior by Koi Security, but not corroborated by multiple independent news reports in the provided text.

menu_book

travel_explore

web search NEUTRAL — According to Koi Security, this malware harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It uses stolen …
https://malpedia.caad.fkie.fraunhofer.de/details/js.glasswor…

travel_explore

web search NEUTRAL — 2025-10-18 (Back to Inventory) Propose Change GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace
https://malpedia.caad.fkie.fraunhofer.de/library/7b51635e-61…

+ 1 more evidence source

check_circle

Claim 12: “The cross-platform operation affected Windows, macOS and Linux.”

CORROBORATED

Multiple independent sources confirm the operation affected Windows, macOS, and Linux.

travel_explore

web search NEUTRAL — May 26, 2026 · This cross-platform operation affected Windows, macOS, and Linux systems, with capabilities spanning information theft, credential harvesting, ...
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-ta…

travel_explore

web search NEUTRAL — May 28, 2026 · The malware ran on Windows, macOS, and Linux systems and included functionality for credential harvesting, data theft, and remote access.
https://www.techzine.eu/news/security/141647/crowdstrike-tak…

travel_explore

web search NEUTRAL — May 28, 2026 · The malware used invisible Unicode-based code injection to evade visual detection and targeted developers across Windows, macOS, and Linux ...
https://mlq.ai/news/crowdstrike-and-google-dismantle-glasswo…

help

Claim 13: “The botnet's command and control server addresses were encoded in the memo fields of Solana blockchain transactions.”

INSUFFICIENT EVIDENCE

No evidence was found in the provided search results regarding the use of Solana blockchain transaction memo fields for C2 addresses.

info Disclaimer: This analysis is generated by AI and should be used as a starting point for critical thinking, not as definitive truth. Claims are verified against publicly available sources. Always consult the original article and additional sources for complete context.