Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

CrowdStrike describes a coordinated takedown of “Glassworm,” a sophisticated supply-chain focused botnet that targeted software developers by distributing trojanized VSCode extensions, malicious npm/PyPI packages, and poisoned GitHub repositories to deliver a Node.js RAT and credential-stealing components; the report details resilient C2 mechanisms (Solana memo fields, BitTorrent DHT, Google Calendar dead-drops, and direct servers), shares an IOC (beacon IP 164.92.88.210) and YARA rules, and emphasizes the broad, high-impact risk to developer ecosystems and dependent organizations.