A coordinated takedown on May 26 by CrowdStrike, Google, and the Shadowserver Foundation has dismantled the Glassworm botnet, a sophisticated malware network that targeted software developers to steal cryptocurrency.
The botnet, known as GlasswormRAT, operated through four separate command-and-control channels, including the Solana blockchain, Google Calendar, BitTorrent DHT, and commercial VPS servers. This redundancy allowed the malware to switch channels if one was disrupted, complicating takedown efforts.
First detected in October 2025 by Koi Security on the OpenVSX marketplace, GlasswormRAT spread to the official VS Code extension store, npm, PyPI, and over 300 GitHub repositories by early 2026. Developers unknowingly installed malicious packages or extensions, which then stole credentials from development platforms and siphoned funds from cryptocurrency wallet browser extensions.
The malware affected Windows, macOS, and Linux systems, and targeted code editors like Cursor and Windsurf. Evidence points to a Russia-based group that used invisible Unicode characters to hide malicious code in packages.
The takedown disrupted all four C2 channels simultaneously, forcing the operators to rebuild their infrastructure from scratch. CrowdStrike stated the goal was to raise operational costs for the adversaries.