The Glassworm botnet, a global operation targeting software developers through the open-source supply chain, was disrupted Wednesday in a coordinated takedown led by CrowdStrike.

All four of the botnet’s command-and-control channels were targeted simultaneously, effectively disconnecting them from their infected computers and leaving them unable to deliver malicious payloads, according to a blog post from the cybersecurity company. 

Since early 2025, Glassworm’s operators have been targeting developers, who have access to source code repositories, continuous integration/continuous delivery pipelines, package registries and cloud platforms, CrowdStrike said. 

The botnet had a full range of malicious capabilities, including credential harvesting and data theft. It included a Node.js remote access tool called GlasswormRAT. 

CrowdStrike worked in a coordinated effort with Google and the Shadowserver Foundation to go after Glassworm, which the company said was likely based in Russia. 

More than 300 GitHub repositories were poisoned during the Glassworm campaign, which harvested credentials from prior attacks. 

Malicious code was introduced using compromised npm and Python packages. In addition, Trojanized VS Code extensions were published to the Open VSX marketplace. 

Researchers said the botnet’s C2 architecture was built to maintain resilience and withstand traditional disruption attempts.