Glassworm botnet disrupted after resilient C2 infrastructure takedown

Researchers (CrowdStrike, Google, Shadowserver) disrupted the Glassworm botnet — a supply-chain-focused malware campaign that infected developers via malicious OpenVSX/VS Code extensions, GitHub repos, and npm packages — by simultaneously taking down four resilient C2 channels (Solana memo fields, BitTorrent DHT, Google Calendar dead-drops, and direct VPS servers). Glassworm stole cryptocurrency wallets and developer credentials, impacted hundreds of software artifacts, and after disruption infected hosts are beaconing to CrowdStrike-controlled IP 164.92.88.210; YARA rules and IOCs have been published for detection and remediation.