Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet
CrowdStrike disrupted the Glassworm botnet targeting software developers.
Summary
CrowdStrike's Counter Adversary Operations team has successfully dismantled the Glassworm botnet, a malicious operation specifically targeting software developers. The takedown involved coordinated efforts to disrupt the botnet's infrastructure and operations, aiming to protect the developer community from its malicious activities.
Full text
Blog Featured CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026 June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026 CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026 3 Principles to Safely Scale Agentic AI Jun 05, 2026 Recent CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026 June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026 CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026 3 Principles to Safely Scale Agentic AI Jun 05, 2026 Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC Agentic SOC New Claude Integration Brings Audit Data into the Falcon Platform 05/21/26 How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Cloud & Application Security Cloud & Application Security Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection 04/22/26 Threat Hunting & Intel Threat Hunting & Intel CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks 06/09/26 Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet 05/26/26 Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 Endpoint Security & XDR Endpoint Security & XDR How to Stop AI-Driven Data Loss 06/02/26 CrowdStrike Named a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Protection for Seventh Consecutive Time 05/29/26 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Engineering & Tech Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Executive Viewpoint Frontier AI Is Collapsing the Exploit Window. Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service 04/21/26 CrowdStrike Flex for Services Expands Access to Elite Security Expertise 03/24/26 From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Next-Gen Identity Security CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access 06/08/26 CrowdStrike Named a Leader in Identity Threat Detection and Response 05/26/26 How to Protect Identities and Sessions from Infostealers 05/20/26 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 Next-Gen SIEM & Log Management Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets 03/18/26 CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management Exposure Management June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days 06/09/26 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 Securing AI Securing AI 3 Principles to Safely Scale Agentic AI 06/05/26 CrowdStrike Brings Enterprise-Grade Security to the AI Factory with NVIDIA Vera BlueField-4 STX 06/01/26 CrowdStrike Scales AI-Native Agents Across Falcon Exposure Management with NVIDIA 06/01/26 Secure Shadow AI at the Control Plane with Falcon for IT 06/01/26 Data Security Data Security ISO 42001:2023 and the New Reality of Cloud AI Data Risk 06/04/26 Falcon Data Security Secures Data Wherever It Lives and Moves 03/24/26 Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Start Free Trial Featured Recent Video Category Start Free Trial Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet May 26, 2026 • Counter Adversary Operations • Threat Hunting & Intel On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm's command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads. This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them. The Threat: Targeting Developers Since at least early 2025, Glassworm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries. Developers represent uniquely high-value targets: compromising a single developer's workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users. Glassworm's operators exploited this reality with a multi-pronged campaign: Trojanized VSCode extensions were published to the OpenVSX marketplace, disguised as popular tools like time trackers and code formatters. The malicious extensions targeted not only VSCode but also Cursor, Positron, Windsurf, VSCodium, and more.Compromised npm and Python packages introduced malicious code through postinstall hooks and setup scripts — executing silently during routine dependency installation.More than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Gla