"The broader goal is sustained pressure that forces the adversary to spend time, resources, and operational energy reconstituting infrastructure instead of targeting victims," Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said.
CrowdStrike-led disruption removed core infrastructure
CrowdStrike announced a coordinated operation that dismantled the Glassworm botnet by simultaneously taking down four attacker-controlled servers designed to obscure the botnet’s operations and resist disruption. According to CrowdStrike, the action removed the operators’ access to infrastructure that had been used to infect hundreds of open-source software components since early 2025.
That disruption, CrowdStrike said, "took down infrastructure, severed access to the botnet’s most critical services, impeded operation momentum and slowed the attackers’ ability to scale," Meyers told CyberScoop. The company framed the effort as sustained pressure to force adversaries to spend time rebuilding rather than continuing attacks.
How Glassworm worked: supply-chain intrusion across developer workflows
CrowdStrike described Glassworm as a threat actor that targeted software developers to gain access to source code repositories, cloud platforms, integration and delivery processes, and open-source package registries. The group fed malware into VSCode extensions, npm and Python packages, and more than 300 GitHub repositories, researchers said.
The compromises affected Windows, macOS and Linux systems and carried out data and credential theft as well as remote access via a backdoor called GlasswormRAT. CrowdStrike characterized the operation as notable for "operational sophistication around propagation and automation" and said it was designed to move through trusted developer workflows in a way that could expand reach quickly if unchecked.
Four layered channels the defenders disrupted
CrowdStrike identified and disrupted four layered channels the botnet relied on: the Solana blockchain, BitTorrent’s peer-to-peer network, Google Calendar, and virtual private servers hosted by commercial providers. By removing those channels, the company said it disabled the "connective tissue of the operation" and created "cascading operational pain" that forces the adversary to rebuild infrastructure and exposes tradecraft.
Google confirmed involvement in the response. "As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users," John Hultquist, chief analyst at Google Threat Intelligence Group, said in a post on X. The non-profit Shadowserver assisted with analysis and data sharing, though its CEO Piotr Kijewski noted much of the disruption work was performed by CrowdStrike.
Russia link, scope, and defensive follow-up
CrowdStrike said the threat group behind Glassworm is likely based in Russia. The company urged proactive defensive steps: it shared indicators of compromise to help organizations hunt for infections and called on other vendors, law enforcement agencies, platform operators and the open-source ecosystem to marshal equal determination in responding to software supply chain threats.
Meyers argued that when law enforcement cooperation is limited or absent, disruption of infrastructure becomes a principal tool: "When threat actors operate from jurisdictions where law enforcement cooperation is limited or nonexistent, disruption becomes one of the most effective tools available. If you can’t put handcuffs on the operator, you focus on dismantling the infrastructure, trust relationships, and operational dependencies," he said.
What this means for software developers, platform operators, and defenders
- Software developers: The incident underscores the risk of supply-chain routes that touch developer tools and package registries. CrowdStrike’s account stresses the need for vigilance around VSCode extensions, npm and Python packages, and code repositories.
- Platform operators and vendors: Google’s public statement and Shadowserver’s data-sharing role illustrate how platform owners and monitoring organizations can assist disruption and remediation efforts; CrowdStrike urged platform operators to align visibility and responses to raise the cost for adversaries.
- Security teams and defenders: CrowdStrike provided indicators of compromise and advocated for proactive disruption and intelligence-sharing as means to impede an adversary’s ability to scale and to harden developer environments, CI/CD pipelines, and software supply chains.
The takedown illustrates a tactical approach defenders favor when traditional law-enforcement pathways are constrained: remove the infrastructure, expose the tradecraft, and make reconstitution expensive and visible. CrowdStrike says that approach may not eliminate a threat actor entirely but can "reduce effectiveness, limit reach, and raise the cost of doing business." The degree to which sustained pressure will prevent a reconstitution of Glassworm’s operations — and whether equivalent action will follow across the wider open-source ecosystem — remains the central practical test ahead.
Read the original CyberScoop report: CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain




