How the Glassworm Takedown Secures Digital Supply Chains

Supplychaindigital · May 29, 2026 · 593 words · By Aaron McMillan

Cybersecurity Infrastructure Supply Chain Security Corporate Brand Positioning

headphones Listen to the eFinder podcast briefing

Ready to play

Daily briefing

What to know about Cybersecurity Infrastructure

CrowdStrike, in collaboration with Google and the Shadowserver Foundation, has dismantled the Glassworm botnet, which targeted software developers via malicious extensions and packages. The operation involved the simultaneous disruption of four decentralized command-and-control channels, including the Solana blockchain and BitTorrent DHT.

Propaganda risk 20%

Claims checked 14

Techniques found 1

Topics 3

Coverage spectrum

Coverage gap: Low Left coverage

Left0%

Center100%

Right0%

2 sources compared across this story cluster. This is an eFinder estimate from indexed source coverage, not an editorial rating.

What happened

How the Glassworm Takedown Secures Digital Supply Chains CrowdStrike has taken down a botnet that targets developers with access to source code repositories, cloud infrastructure and package registries.

Why it matters

The Glassworm operation uses four separate command and control channels to maintain activity even when parts of the network are disabled.

Common ground

The cybersecurity firm works with Google and the Shadowserver Foundation to dismantle the infrastructure.

Perspective signals

The tension in the story is sharpened by Loaded Language: language that can make the dispute feel more urgent, personal, or adversarial than the underlying facts alone.

Follow-up questions

What new context would change how readers understand this Cybersecurity Infrastructure story?
What evidence would most clearly confirm or weaken the claim that GlasswormRAT queries the BitTorrent Distributed Hash Table for hardcoded public keys?
How does this story connect Cybersecurity Infrastructure with Supply Chain Security over the next few days?

open_in_new Read the original article: https://supplychaindigital.com/news/how-the-glassworm-takedown-secures-digital-s…

analyticsAnalysis

20%

Propaganda Score

confidence: 95%

Minor concerns. Some persuasive language detected, but largely factual.

psychologyPropaganda Techniques Detected

eFinder identified 1 propaganda technique in this article. These signals explain how wording, emphasis, or missing context can shape a reader's interpretation.

warning

Loaded Language 80% confidence

Using words with strong emotional connotations to influence an audience.

Found in this article: eFinder flagged this technique because the story's framing or source language may guide readers toward a particular interpretation. Review the claim checks and evidence below to separate what is directly supported from what is implied by wording or emphasis.

Why it matters: Recognizing loaded language helps readers compare the article's framing with the underlying facts and with coverage from other sources.

fact_checkClaims Checked

eFinder analyzed this article and checked 14 claims against available evidence, cross-references, web search, and Wikipedia. Here is what the fact-checking layer found.

check_circle Corroborated 6

schedule Pending 4

info Single Source 2

verified Verified By Reference 1

help Insufficient Evidence 1

schedule

Claim 1: “GlasswormRAT queries the BitTorrent Distributed Hash Table for hardcoded public keys.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

verified

Claim 2: “Credentials harvested from earlier Glassworm infections are used to force-push malicious code to over 300 repositories.”

VERIFIED BY REFERENCE

The provided Wikipedia result is about the Open VSX registry and does not mention the 300 repositories or force-pushing. No other relevant evidence was provided for this specific claim.

menu_book

wikipedia NEUTRAL — Open VSX is an open-source registry for extensions compatible with the Visual Studio Code extension API. The project is hosted by the Eclipse Foundation and provides a vendor-neutral alternative to Mi…
https://en.wikipedia.org/wiki/Open_VSX

check_circle

Claim 3: “Glassworm operators begin targeting developers in early 2025.”

CORROBORATED

Both a cross-reference and a web search result confirm that Glassworm operators began targeting developers in early 2025. (Note: Wikipedia results provided were about insects and irrelevant).

menu_book

wikipedia NEUTRAL — Chaoborus is a genus of midges in the family Chaoboridae. The larvae are known as glassworms because they are transparent. They can be found commonly in lakes all over the world and can be up to 2 cm …
https://en.wikipedia.org/wiki/Chaoborus

menu_book

wikipedia NEUTRAL — Chaoborus edulis is a species of phantom midges (flies in the family Chaoboridae). Colloquially, the larval stage is termed a glassworm. It is one of the species of insect processed into kunga cakes.
https://en.wikipedia.org/wiki/Chaoborus_edulis

menu_book

+ 4 more evidence sources

check_circle

Claim 4: “The malicious extensions infect users of Cursor, Positron, Windsurf, VSCodium and other integrated development environments.”

CORROBORATED

Two separate web search results explicitly list Cursor, Positron, Windsurf, and VSCodium as IDEs infected by the malicious extensions.

travel_explore

web search NEUTRAL — The operators published trojanized VSCode extensions to the OpenVSX marketplace, disguised as legitimate tools such as time trackers and code formatters. These malicious extensions also targeted other…
https://www.rescana.com/post/glassworm-malware-takedown-disr…

travel_explore

web search NEUTRAL — This is not the first time GlassWorm resorted to using native compiled code in extensions. However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the k…
https://www.aikido.dev/blog/glassworm-zig-dropper-infects-ev…

travel_explore

web search NEUTRAL — The malicious extensions infect users of Cursor, Positron, Windsurf, VSCodium and other integrated development environments. Compromised npm and Python packages introduce malicious code through postin…
https://supplychaindigital.com/news/how-the-glassworm-takedo…

info

Claim 5: “Compromised npm and Python packages introduce malicious code through postinstall hooks and setup scripts.”

SINGLE SOURCE

Only one relevant source (Supply Chain Digital) explicitly mentions the use of postinstall hooks and setup scripts in npm and Python packages. Other search results for this claim were irrelevant.

travel_explore

web search NEUTRAL — Oct 25, 2022 · I am trying out using the Netflix DGS library in Springboot, and have followed the documentation for getting started. Current status is, if I am not including DGS as a dependency, appli…
https://stackoverflow.com/questions/74194025/getting-error-w…

travel_explore

web search NEUTRAL — Explanation of command line options: -f mp4 = Output format mp4 --all-subs = Download all subtitles -o "file-name-to-save-as.mp4" = Name of the file to save the video as. "https://link-from-Google_Chr…
https://stackoverflow.com/questions/42901942/how-do-we-downl…

travel_explore

web search NEUTRAL — Jul 28, 2017 · 9 i have created two java spring-boot micro services they are 1) producer 2) consumer and i have used spring eureka server for service registration and discovery . it worked fine . then…
https://stackoverflow.com/questions/45363163/what-is-the-dif…

schedule

Claim 6: “Google Calendar events and commercial virtual servers distribute instructions and payloads to infected machines.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 7: “Trojanised VSCode extensions appear on the OpenVSX marketplace disguised as time trackers and code formatters.”

CORROBORATED

Multiple sources confirm the presence of malicious VSCode extensions on the OpenVSX marketplace, with one specifically mentioning they were disguised as tools like time trackers and code formatters.

travel_explore

web search NEUTRAL — Apr 25, 2026 · Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery ...
https://socket.dev/blog/73-open-vsx-sleeper-extensions-glass…

travel_explore

web search NEUTRAL — Jan 26, 2026 · Security researchers found two AI-branded VS Code extensions with 1.5M installs that covertly send source code and files to China-based ...
https://thehackernews.com/2026/01/malicious-vs-code-ai-exten…

travel_explore

web search NEUTRAL — “GlassWorm,” a VS Code extension worm, hides injected code via Unicode tricks, uses Solana blockchain and public Google Calendar as C2, and turns compromised ...
https://www.linkedin.com/posts/securecontainprotect_maliciou…

check_circle

Claim 8: “The cybersecurity firm works with Google and the Shadowserver Foundation to dismantle the infrastructure.”

CORROBORATED

Three separate web search results explicitly state that CrowdStrike collaborated with Google and the Shadowserver Foundation to dismantle the infrastructure.

travel_explore

web search NEUTRAL — May 26, 2026 ... ... open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and ...
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-ta…

travel_explore

web search NEUTRAL — May 28, 2026 ... Google, Shadowserver Foundation and CrowdStrike took down a Russian ... dismantle the infrastructure that powers organised cybercrime.
https://cybermagazine.com/news/crowdstrike-and-google-disman…

travel_explore

web search NEUTRAL — May 27, 2026 ... CrowdStrike worked in a coordinated effort with Google and the Shadowserver Foundation to go after Glassworm, which the company said was ...
https://www.cybersecuritydive.com/news/takedown-glassworm-bo…

help

Claim 9: “The operation also deploys GlasswormRAT, a cross-platform Node.js remote access tool.”

INSUFFICIENT EVIDENCE

No evidence was found in the provided search results to support the existence or deployment of 'GlasswormRAT'.

schedule

Claim 10: “Command and control server addresses are encoded in memo fields of Solana blockchain transactions.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 11: “The Glassworm operation uses four separate command and control channels to maintain activity even when parts of the network are disabled.”

CORROBORATED

The claim that the infrastructure used four separate command and control channels is confirmed by both a cross-reference (Technologymagazine) and a web search result (Inside CrowdStrike's Takedown).

travel_explore

web search NEUTRAL — May 29, 2026 ... The Glassworm botnet uses blockchain and BitTorrent to target developers and compromise software supply chains across Windows, ...
https://supplychaindigital.com/news/how-the-glassworm-takedo…

travel_explore

web search NEUTRAL — May 26, 2026 ... Learn how CrowdStrike's Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, which targeted software ...
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-ta…

travel_explore

web search NEUTRAL — Oct 24, 2025 ... The sophisticated GlassWorm malware affected VS Code extensions, using invisible Unicode to steal credentials and install a full RAT on ...
https://fluidattacks.com/blog/glassworm-vs-code-extensions-s…

+ 1 more evidence source

info

Claim 12: “All major operating systems are affected by the campaign.”

SINGLE SOURCE

While one source mentions compromising supply chains across Windows, there is no explicit confirmation that 'all major operating systems' are affected; the evidence is too narrow to corroborate the 'all' claim.

travel_explore

web search NEUTRAL — Mar 16, 2026 ... GlassWorm campaign injects malware into GitHub Python repos using stolen tokens since March 8, 2026, exposing developers to supply-chain ...
https://thehackernews.com/2026/03/glassworm-attack-uses-stol…

travel_explore

web search NEUTRAL — Oct 20, 2025 ... The sophisticated worm — which uses invisible code to steal credentials and compromise developer systems — has so far infected nearly 36k ...
https://www.darkreading.com/application-security/self-propag…

schedule

Claim 13: “CrowdStrike has reason to believe the criminals behind the operation are likely based in Russia.”

PENDING

This claim was extracted as a checkable statement from the article. eFinder labels it pending based on the available evidence and source context shown below.

check_circle

Claim 14: “CrowdStrike has taken down a botnet that targets developers with access to source code repositories, cloud infrastructure and package registries.”

CORROBORATED

Multiple independent web search results confirm that CrowdStrike dismantled the Glassworm botnet which targeted developers with access to source code repositories, cloud infrastructure, and package registries.

travel_explore

web search NEUTRAL — Developers were high value targets as they had access to source code repositories, cloud systems, CI/CD pipelines and package registries. A single developer compromise could hence snowball into supply…
https://technologymagazine.com/news/how-google-and-crowdstri…

travel_explore

web search NEUTRAL — The Threat: Targeting Developers. Since at least early 2025, Glassworm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms…
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-ta…

travel_explore

web search NEUTRAL — From early in 2025, Glassworm operators had been systematically targeting their prey of choice – developers, high value targets with access to source code repos, cloud, CI/CD pipelines and package reg…
https://cybermagazine.com/news/crowdstrike-and-google-disman…

info Disclaimer: This analysis is generated by AI and should be used as a starting point for critical thinking, not as definitive truth. Claims are verified against publicly available sources. Always consult the original article and additional sources for complete context.