CrowdStrike, Google disrupt GlassWorm C2 targeting developers

CrowdStrike, in coordination with Google and the Shadowserver Foundation, said it simultaneously disabled all command-and-control channels used by the GlassWorm campaign. The action cut off the multi-layer C2 infrastructure so infected machines can no longer receive new instructions or payloads. CrowdStrike reported the campaign has been active since at least early 2025.

GlassWorm targeted software developers by publishing trojanized Visual Studio Code extensions to the Microsoft VS Code Marketplace and Open VSX and by pushing compromised packages to npm and Python registries. The malicious extensions reached users of VS Code forks including Cursor, Positron, Windsurf and VSCodium.

Analysis by CrowdStrike and partner researchers found the malware delivered a data-theft framework built to harvest credentials, exfiltrate cryptocurrency wallet data and profile systems. Later iterations deployed a JavaScript remote access trojan called GlassWormRAT that uses WebSocket connections to steal browser data and run arbitrary code. Investigators observed the malware installing a Google Chrome extension that collected screenshots, keystrokes and clipboard content.

Endor Labs researcher Kiran Raj wrote: “Once active, the malware searches the host for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), enabling further compromise of repositories and package uploads.” Infected machines were also used as covert infrastructure: SOCKS proxies, hidden VNC servers and remote execution nodes via WebRTC or spawned Node.js processes, providing anonymized network access and a platform for further propagation.

The campaign relied on four resolution layers to protect its C2 servers: storing C2 addresses in Solana blockchain transaction memo fields, querying the BitTorrent Distributed Hash Table for configuration data, reading Google Calendar event titles to fetch addresses, and maintaining direct connections to servers on commercial VPS providers. CrowdStrike said neutralizing all four layers at once prevented further command flow to infected hosts.

CrowdStrike reported the operation affected more than 300 GitHub repositories that were poisoned using stolen developer credentials. The company attributed the activity to likely Russia-based cybercriminals, citing the malware’s behavior of terminating on systems located in Commonwealth of Independent States countries and the presence of Russian-language comments. The coordinated disruption was intended to prevent further propagation and provide time for defenders to clean endpoints and revoke compromised tokens and credentials. CrowdStrike noted that affected developers and organizations still need to complete background remediation to remove uploaded packages and address stolen tokens.