Executive Summary
On 2026-05-26 at 14:00 UTC, CrowdStrike says it coordinated with Google and the Shadowserver Foundation to disrupt the GlassWorm botnet's command-and-control channels, cutting infected developer machines off from new operator instructions and payload delivery CrowdStrike opens in a new tab. The takedown does not prove that infected hosts are clean. It gives defenders a short containment window to find developer workstations, CI runners, and build boxes that installed GlassWorm-linked extensions or packages.
GlassWorm is a developer-tooling supply-chain campaign first publicly documented by Koi Security in October 2025. Koi reported self-propagation through stolen marketplace credentials and malicious code concealed with invisible Unicode characters Koi Security opens in a new tab. CrowdStrike later described trojanized VS Code-compatible extensions, malicious npm and Python packages, and more than 300 poisoned GitHub repositories created or modified with previously stolen developer credentials CrowdStrike opens in a new tab. Socket's April 2026 research adds registry-level detail: a cluster of 73 Open VSX impersonation extensions, including activated hosts that used extensionPack transitive delivery, bundled native .node installers, or obfuscated JavaScript to retrieve VSIX payloads from GitHub Socket opens in a new tab.
Treat any confirmed GlassWorm hit as a developer identity incident, not just malware cleanup. The affected endpoints can hold GitHub, npm, Open VSX, SSH, cloud, Kubernetes, package-registry, AI-tooling, and wallet credentials.