GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

CrowdStrike, in partnership with Google and the Shadowserver Foundation, disrupted all command-and-control channels for GlassWorm, a developer-focused supply-chain campaign (active since at least early 2025) that used trojanized VS Code extensions and compromised npm/Python packages to deploy the GlassWormRAT data-stealer, harvest developer credentials and crypto wallets, and convert infected hosts into proxies, HVNC servers, and remote execution nodes; the campaign reportedly poisoned over 300 GitHub repositories and is attributed to likely Russia-based cybercriminals.