CrowdStrike announced that it is partnering with Google and the Shadowserver Foundation to simultaneously disrupt all command and control (C2) channels associated with GlassWorm, a persistent software chain campaign that targets software developers through malicious packages and extensions.
“Since at least early 2025, GlassWorm operators have systematically targeted software developers, those with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries,” CrowdStrike said.
This development comes as developers are becoming increasingly lucrative targets for carrying out software supply chain attacks, allowing attackers to leverage a single compromised workstation to impact thousands of downstream organizations and users at once.
Since its emergence last year, GlassWorm has been running a “multi-pronged campaign” using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX, allowing it to target users of VS Code forks such as Cursor, Positron, Windsurf, and VSCodium.
This campaign is also known to have introduced malicious code through compromised npm and Python packages. The ultimate goal of the attack is to provide a data theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities.
Subsequent iterations of GlassWorm were found to deploy a websocket-based JavaScript RAT called GlassWormRAT to steal web browser data and execute arbitrary code, including installing Google Chrome extensions that collect sensitive data such as screenshots, keystrokes, and clipboard content from infected systems.
“Once activated, the malware searches hosts for developer credentials (GitHub, NPM, OpenVSX tokens, crypto wallets), potentially further compromising repositories and package uploads,” said Endor Labs researcher Kiran Raj.
“Infected hosts are transformed into a covert infrastructure of SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes (via WebRTC or spawned Node.js processes). This gives attackers anonymized network access to corporate and personal networks and a platform for further dissemination.”
Cumulatively, this malicious activity allegedly compromised more than 300 GitHub repositories using stolen developer credentials. What made this operation notable was the use of four different C2 channels to improve resiliency.
“The combination of blockchain, peer-to-peer, and legitimate web services as a resolution layer is designed to be resilient to takedowns. It is a dynamic front that protects the actual C2 server behind multiple layers of indirection,” CrowdStrike said.
As a result of the removal, a coordinated effort disabled all four channels simultaneously, preventing infected machines from receiving new instructions or payloads.
The cybersecurity firm describes GlassWorm’s operators as “well-resourced and persistent” and believes the activity is likely the work of Russian-based cybercriminals, given that the malware has stopped running on systems located in Commonwealth of Independent States (CIS) countries and includes comments in Russian.
“The software supply chain remains one of the most critical attack surfaces in modern computing,” CrowdStrike concludes. “Adversaries are turning dependencies on organizational tools, updates, and libraries into weaponized delivery mechanisms and force multipliers.”
“The barrier to contaminating packages and extensions is low, and the potential scope for explosion is enormous. Unless development environments, build pipelines, and code repositories are well-protected, every organization that uses software inherits the risk of every organization that creates it. GlassWorm shows that attackers are aware of this and are investing in resilient infrastructure to maintain persistent access to the developer ecosystem.”
Source link
