Cybersecurity firms and technology organizations have disrupted the infrastructure behind GlassWorm, a malware campaign that has been targeting software developers through malicious extensions and compromised software packages since early 2025. CrowdStrike announced that, in coordination with Google and Shadowserver Foundation, it successfully disrupted all known command and control channels linked to the malware operation. Security researchers said GlassWorm specifically targeted software developers due to their access to critical environments such as source code repositories, cloud platforms, continuous integration and deployment pipelines, and package registries. By compromising developer systems, attackers gained opportunities to impact thousands of downstream organizations and software users through supply chain compromise techniques.
According to CrowdStrike, GlassWorm used a multi layered campaign involving trojanized Visual Studio Code extensions distributed through Microsoft VS Code Marketplace and Open VSX. The malicious extensions also affected users of development platforms and forks such as Cursor, Positron, Windsurf, and VSCodium. Researchers found that attackers also injected malicious code into compromised npm and Python packages, enabling malware delivery through trusted software ecosystems. Once installed, the malware deployed a data theft framework capable of stealing credentials, cryptocurrency wallet data, and system information from infected devices. Researchers at Endor Labs stated that later variants of the malware introduced a WebSocket based remote access trojan called GlassWormRAT, which enabled browser data theft, arbitrary code execution, and unauthorized installation of malicious Google Chrome extensions. These browser extensions reportedly captured screenshots, keystrokes, clipboard content, and other sensitive information from infected systems.
Researchers explained that GlassWorm operators sought developer credentials related to GitHub, npm, OpenVSX tokens, and cryptocurrency wallets to expand access into repositories and distribute compromised software further. Infected systems were also transformed into covert infrastructure, functioning as SOCKS proxies, hidden virtual network computing servers, and remote execution nodes using WebRTC or Node.js processes. This approach enabled attackers to create anonymous pathways into corporate and personal environments while supporting continued propagation of malicious activity. Security analysts estimate that more than 300 GitHub repositories were compromised through stolen developer credentials during the campaign. CrowdStrike noted that the operation demonstrated unusual resilience because attackers maintained four separate command and control methods to ensure continuity if one communication channel became unavailable.
The malware campaign reportedly relied on unconventional methods to maintain communication with infected devices. Researchers found that attackers used Solana blockchain transactions to store command server addresses within memo fields, enabling infected systems to retrieve instructions indirectly. Additional communication methods involved the BitTorrent Distributed Hash Table network for configuration retrieval and Google Calendar event titles used to deliver command and control information. The final communication channel relied on direct connections to virtual private servers hosted by commercial providers. Security experts stated that all four channels were disrupted simultaneously, preventing infected systems from receiving new commands or malicious payloads. CrowdStrike described the actors behind GlassWorm as persistent and well resourced, with indications suggesting links to Russia based cybercriminal operations due to Russian language comments in the code and the malware’s behavior of terminating activity on systems located in Commonwealth of Independent States countries. Researchers warned that software supply chain attacks continue to present substantial risk as attackers increasingly exploit trusted development environments, software dependencies, and update mechanisms to expand their reach.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
