GlassWorm Malware Infrastructure Dismantled in Coordinated Takedown

Executive Summary

In a significant collaborative effort, CrowdStrike, Google, and the Shadowserver Foundation have successfully disrupted a pervasive software supply chain campaign known as GlassWorm. This operation dismantled the command-and-control (C2) infrastructure used by the malware, which has been targeting software developers since at least early 2025. The GlassWorm campaign employed a multi-faceted approach, using malicious Visual Studio Code extensions and compromised software packages to steal credentials, exfiltrate cryptocurrency wallets, and establish a botnet of compromised developer machines. The takedown marks a major victory against threat actors targeting the core of the software development lifecycle.

Threat Overview

The GlassWorm campaign specifically targeted software developers, a high-value target for threat actors due to their privileged access to source code, CI/CD pipelines, and cloud infrastructure. The operators, assessed by CrowdStrike as likely Russia-based cybercriminals, demonstrated persistence and significant resources. The malware was designed to terminate execution if it detected it was running on a system in a Commonwealth of Independent States (CIS) country, a common tactic for Russian threat actors.

The attack vectors included:

Trojanized VS Code Extensions: Malicious extensions published to the official Microsoft VS Code Marketplace and the open-source Open VSX registry.
Malicious Packages: Compromised packages uploaded to popular registries like npm (for JavaScript) and PyPI (for Python).

Technical Analysis

The GlassWorm attack was multi-pronged and evolved over time:

Initial Compromise: Developers were tricked into installing malicious VS Code extensions or using compromised npm/Python packages in their projects (T1195.002 - Compromise Software Supply Chain). The extensions appeared legitimate but contained a malicious payload.
Credential Theft: Once installed, the initial malware payload would scan the host system for developer credentials. This included GitHub tokens, npm tokens, OpenVSX tokens, SSH keys, and cloud provider credentials (T1552.001 - Credentials in Files). It also targeted cryptocurrency wallet files.
RAT Deployment: Later versions of the campaign deployed GlassWormRAT, a Websocket-based JavaScript RAT. This RAT provided the attackers with persistent remote access to the compromised machine.
Data Exfiltration and Espionage: GlassWormRAT was capable of stealing web browser data (cookies, history, passwords), executing arbitrary code, and installing a malicious Google Chrome extension. This extension could capture screenshots, log keystrokes (T1056.001 - Keylogging), and steal clipboard content (T1115 - Clipboard Data).

This comprehensive data theft framework allowed attackers to not only steal immediate assets but also to pivot and compromise additional repositories and packages, perpetuating the supply chain attack.

Incident Response and Takedown

The disruption was a coordinated effort involving threat intelligence sharing and simultaneous action. CrowdStrike, Google, and the Shadowserver Foundation worked together to identify and sinkhole all known C2 domains associated with GlassWorm. This action effectively severed the connection between the infected developer machines and the attackers, neutralizing the botnet and preventing further data theft and command execution.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables — Hunting Hints

To hunt for similar threats, security teams should look for:

Type

File Path

Value

~/.vscode/extensions/

Description

Monitor for the installation of new or suspicious VS Code extensions, especially those that are not from verified publishers.

Type

Network Traffic

Value

Outbound Websocket connections

Description

Look for unusual or unencrypted Websocket connections from developer tools or unexpected processes.

Type

Command Line

Value

npm install, pip install

Description

Correlate package installation logs with network activity. A package that makes network connections during installation is highly suspicious.

Type

Process Anomaly

Value

code.exe or node.exe accessing sensitive files

Description

Monitor for developer tools attempting to read files like ~/.ssh/id_rsa, ~/.aws/credentials, or cryptocurrency wallet files.

Detection & Response

Extension Auditing: Regularly audit installed VS Code extensions and other developer tools. Remove any unverified or unnecessary extensions.
Behavioral Monitoring: Use an EDR to monitor developer tools for suspicious behavior, such as accessing sensitive files, making outbound network connections, or spawning child processes.
Supply Chain Security Tools: Utilize tools that scan dependencies for known vulnerabilities and malicious packages before they are incorporated into a project.
D3FEND: Employ D3-PA - Process Analysis to detect when developer tools like VS Code begin to exhibit malicious behavior, such as file scanning or unauthorized network communication.

Mitigation

Vetted Extensions: Create an organizational policy that only allows the installation of VS Code extensions from a pre-approved list of verified publishers.
Principle of Least Privilege: Developers should not work from accounts with administrative privileges. Use separate, isolated environments for development work.
Credential Management: Store sensitive credentials and tokens in a secure vault (e.g., HashiCorp Vault, Azure Key Vault) instead of in configuration files on developer machines.
D3FEND: Implement D3-EAL - Executable Allowlisting and script-specific controls to restrict what extensions and packages can be installed and executed in the development environment.

CrowdStrike, Google, and Shadowserver Disrupt "GlassWorm" Developer-Targeted Supply Chain Attack