Joint Operation Dismantles Open-Source Threat
CrowdStrike has announced the dismantling of the Glassworm botnet in a coordinated operation carried out with support from Google and Shadowserver. The takedown stripped threat actors of access to the infrastructure they used to systematically compromise open-source software packages — a campaign that had been ongoing since early 2025 and had infected hundreds of projects.
The operation represents one of the more significant open-source supply chain security actions of 2026, targeting an adversary whose reach extended across major package ecosystems.
What Was Glassworm?
Glassworm was a botnet purpose-built for supply chain attacks against open-source software. Rather than targeting end-user systems directly, the botnet's operators focused on compromising the infrastructure that developers rely on — package registries, CI/CD pipelines, and the maintainer accounts that publish software consumed by downstream organizations.
Key characteristics of the botnet and its campaign:
- Active since early 2025 — the campaign predates the takedown by over a year
- Hundreds of packages affected — across multiple ecosystems (exact scope still being assessed)
- Malware-as-persistence — infected packages contained malicious code designed to establish footholds in developer and build environments
- Infrastructure-focused — operators maintained dedicated command-and-control infrastructure separate from the compromised packages
The Takedown Operation
CrowdStrike's announcement describes a coordinated multi-party action that neutralized the botnet's operational infrastructure. The involvement of three organizations reflects the cross-platform nature of the threat:
- CrowdStrike — threat intelligence, technical attribution, and operation coordination
- Google — infrastructure disruption (likely through abuse-of-service takedown on Google-hosted resources or through Project Shield/Safe Browsing feeds)
- Shadowserver Foundation — sinkholing and passive DNS infrastructure to redirect botnet command-and-control traffic
The result was operators losing access to the infrastructure used to coordinate infections and push malicious updates to compromised packages.
Why Open-Source Supply Chains Are High-Value Targets
The Glassworm campaign illustrates why supply chain attacks have become a preferred vector for sophisticated threat actors:
Multiplier effect: A single compromised package can reach tens of thousands of downstream users. When a widely-used open-source library is backdoored, every project that imports it becomes a potential victim.
Trusted channels: Package managers like npm, PyPI, and Maven Central are treated as trusted by default. Organizations often lack visibility into the exact code executing in third-party dependencies.
Developer environment access: Malware injected via open-source packages typically executes with developer-level permissions — on machines with access to source code, credentials, cloud environments, and production deployment pipelines.
Delayed detection: Supply chain compromises can persist undetected for months. The Glassworm campaign's timeline (early 2025 through mid-2026) shows how long these operations can run before disruption.
Impact Assessment
| Area | Details |
|---|---|
| Packages infected | Hundreds across multiple ecosystems |
| Active campaign duration | ~16+ months (early 2025 – May 2026) |
| Developer exposure | Developers and build systems importing infected packages |
| Credential risk | Malware designed to access developer credentials and secrets |
| Downstream organizations | Any organization using infected packages as dependencies |
Recommendations for Developers and Organizations
Immediate Actions
- Audit your dependency tree for packages flagged in connection with the Glassworm campaign — CrowdStrike and Shadowserver are expected to publish indicators
- Review recent package update history across your projects, looking for unexpected version bumps to packages in affected ecosystems
- Rotate credentials and secrets on developer machines that may have executed code from affected packages — particularly CI/CD service account tokens, cloud provider keys, and npm/PyPI auth tokens
- Check CI/CD pipeline logs for unusual outbound connections or unexpected script execution during build steps
Longer-Term Supply Chain Security
- Implement dependency pinning (lock files + hash verification) to prevent unexpected package substitution
- Use software composition analysis (SCA) tools with real-time threat feed integration
- Enable provenance attestation where supported (e.g., npm provenance, Sigstore for Python)
- Restrict build environment network access to reduce exfiltration paths
- Participate in ecosystem security programs like npm's security advisories and PyPI's malware reporting
Industry Context
The Glassworm takedown comes amid a broader surge in supply chain attacks in 2026. Previous notable campaigns — including attacks on the Trivy security scanner, TanStack, and the Shai-Hulud worm's spread through npm — have demonstrated that open-source infrastructure remains a primary attack surface for threat actors ranging from financially motivated criminals to nation-state operators.
The joint action by CrowdStrike, Google, and Shadowserver reflects a maturing model for responding to these threats: coordinated industry action rather than waiting for law enforcement timelines.
Source: CyberScoop