GlassWorm C2 Infrastructure Collapse: Google, CrowdStrike and Shadowserver Execute Massive Supply Chain Takedown + Video

Listen to this Post

Featured Image

Introduction

A major coordinated cybersecurity operation has dismantled the command-and-control (C2) backbone of the GlassWorm campaign, a sophisticated supply chain attack that targeted software developers worldwide. The joint effort by CrowdStrike, Google, and the Shadowserver Foundation marks one of the most significant disruptions of a developer-focused malware ecosystem in recent years, cutting off attackers from infected systems and halting ongoing exploitation.

the Original Report (GlassWorm Operation Overview)

CrowdStrike, working alongside Google and the Shadowserver Foundation, confirmed the simultaneous takedown of all command-and-control channels linked to the GlassWorm cyber campaign, a long-running supply chain attack focused on software developers and their ecosystems.
The attackers, active since early 2025, specifically targeted developers due to their privileged access to source code repositories, cloud platforms, CI/CD pipelines, and package registries.
By compromising developer environments, the threat actors could potentially cascade infections across thousands of downstream organizations.
GlassWorm deployed malicious payloads through trojanized Visual Studio Code extensions distributed on both the official Microsoft VS Code Marketplace and Open VSX, affecting users of derivative editors such as Cursor, Windsurf, Positron, and VSCodium.
The attackers also injected malware into compromised npm and Python packages, expanding their infection surface across multiple programming ecosystems.
Their primary objective was to deploy a data-stealing framework capable of harvesting credentials, extracting cryptocurrency wallets, and profiling infected systems.
Later versions introduced GlassWormRAT, a WebSocket-based JavaScript remote access tool capable of executing commands, stealing browser data, and deploying additional payloads.
The malware also installed malicious Chrome extensions designed to capture screenshots, keystrokes, and clipboard data from infected machines.
Security researchers noted that infected systems were turned into covert infrastructure nodes, including SOCKS proxies, hidden VNC services, and remote execution environments.
These compromised hosts enabled attackers to pivot into corporate networks while maintaining anonymity and persistence.
Over 300 GitHub repositories were reportedly poisoned using stolen developer credentials harvested during the campaign.
What made GlassWorm particularly resilient was its use of four separate C2 channels for redundancy and survivability.
These included the Solana blockchain as a dead-drop resolver, embedding C2 data in transaction memos.
It also leveraged the BitTorrent DHT network to retrieve configuration data in a decentralized manner.
Google Calendar was abused as another covert channel, hiding infrastructure details inside event titles.
In addition, direct connections to VPS-hosted C2 servers were used as fallback infrastructure.
This multi-layered design made takedown efforts significantly more complex by dispersing control signals across legitimate platforms.
CrowdStrike confirmed that all four C2 layers were simultaneously neutralized in a coordinated global disruption.
The operation effectively severed communication between infected hosts and attacker infrastructure.
Researchers described the GlassWorm operators as well-resourced and highly persistent, likely linked to Russia-based threat actors.
This attribution is based on behavioral patterns such as CIS-region avoidance and embedded Russian-language code comments.
CrowdStrike emphasized that software supply chains remain one of the most dangerous and scalable attack surfaces in modern cybersecurity.
The GlassWorm campaign demonstrates how attackers weaponize developer trust and dependency ecosystems.
Security experts warn that as long as build pipelines and repositories remain exposed, supply chain attacks will continue to expand in scale and sophistication.

What Undercode Say:

Developer Ecosystems as High-Value Targets

The GlassWorm campaign reinforces a critical shift in cyber warfare: attackers are no longer focusing on end-users but on developers themselves. By compromising developers, threat actors gain indirect access to entire software ecosystems, making a single breach exponentially more dangerous.

Supply Chain Attacks Are Becoming Modular and Persistent

GlassWorm shows how modern malware is designed as a modular ecosystem rather than a single payload. With extensions, packages, and multi-language support, attackers ensured flexibility and resilience across environments, making detection significantly harder.

Multi-Channel C2 Architecture Signals Advanced Operational Design

The use of blockchain, BitTorrent DHT, and Google Calendar demonstrates a deliberate effort to hide command infrastructure inside legitimate systems. This hybrid approach blurs the line between normal traffic and malicious communication.

Credential Harvesting as the Core Economic Engine

Instead of purely destructive goals, GlassWorm prioritizes credential theft, especially GitHub tokens, npm keys, and wallet data. These assets allow attackers to scale their intrusion into supply chain pipelines and monetize access repeatedly.

Malware Turning Systems into Infrastructure Nodes

Infected systems were not just victims but actively repurposed into operational infrastructure such as SOCKS proxies and hidden VNC servers. This transforms compromised machines into distributed attacker networks.

Blockchain Abuse as a Dead-Drop Innovation

Using Solana blockchain memos as a C2 resolver is a significant evolution in malware design. Blockchain’s immutability and decentralization make takedowns extremely difficult once data is published.

Cross-Ecosystem Infection Strategy

By targeting VS Code extensions, npm, and Python packages simultaneously, GlassWorm ensured coverage across multiple developer stacks. This cross-ecosystem approach increases infection probability dramatically.

Persistence Through Legitimate Platforms

Abusing Google Calendar and public marketplaces demonstrates how attackers rely on trusted infrastructure to maintain stealth. This makes detection harder since traffic blends into legitimate user behavior.

Coordinated Takedown Impact

The simultaneous disruption of all C2 channels is rare and indicates high-level coordination among cybersecurity organizations. This effectively neutralizes active control but may not remove all implanted backdoors.

Strategic Attribution to Nation-State Behavior

Indicators such as CIS-region avoidance and Russian-language artifacts suggest a likely Russia-linked cybercriminal ecosystem, though attribution remains probabilistic rather than definitive.

Long-Term Supply Chain Risk Exposure

GlassWorm confirms that modern development pipelines remain structurally vulnerable. Without stronger signing, verification, and dependency controls, similar attacks will continue evolving.

Fact Checker Results

Verified Multi-Vector Infection Strategy

✔ Confirmed use of VS Code extensions, npm, and Python packages as infection vectors across developer ecosystems.

Confirmed Use of Alternative C2 Channels

✔ Blockchain, BitTorrent DHT, and Google Calendar abuse are documented techniques used in the campaign.

Attribution Remains Probabilistic

⚠ Russia-linked attribution is based on behavioral indicators, not definitive proof.

Prediction

Expansion of Blockchain-Based Malware Infrastructure

Future malware campaigns are likely to increase reliance on blockchain systems as resilient, censorship-resistant C2 layers.

Developer-Centric Attacks Will Intensify

Supply chain attacks will increasingly focus on IDE extensions, CI/CD tools, and package managers as primary entry points.

Defensive Shift Toward Dependency Verification

Organizations will likely adopt stricter package signing, repository validation, and behavior-based anomaly detection in response to campaigns like GlassWorm.

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube