CrowdStrike, Google, and the Shadowserver Foundation said they disrupted the Glassworm botnet, a global threat targeting developers and open-source software ecosystems through supply chain attacks. CrowdStrike said the coordinated takedown simultaneously disabled all four of the botnet’s C2 channels, preventing communications with infected systems and delivery of additional malware payloads.
You can find out more by reading CrowdStrike’s writeup here: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
Liquibase VP Ryan McCurdy offers perspective:
“Glassworm is a reminder that ungoverned automation can quickly become a privileged attack path. Once attackers compromise developer tooling, poison repositories, or steal CI/CD credentials, the pipeline stops being background infrastructure and starts acting like a privileged identity. That is what makes these attacks so dangerous. The answer is not less automation. It is more standardized, governed automation, so the workflows developers and pipelines already rely on are consistent, controlled, and harder to abuse.”
Honestly, while this is to be celebrated, it’s also time for organizations to look at themselves and retool themselves so that automation is not an attack path. Otherwise bad things will happen.
UPDATE: There’s additional commentary starting with Ryan McCurdy, VP of Marketing, Liquibase:
“Glassworm is a reminder that ungoverned automation can quickly become a privileged attack path. Once attackers compromise developer tooling, poison repositories, or steal CI/CD credentials, the pipeline stops being background infrastructure and starts acting like a privileged identity. That is what makes these attacks so dangerous. The answer is not less automation. It is more standardized, governed automation, so the workflows developers and pipelines already rely on are consistent, controlled, and harder to abuse.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“When dismantling a single developer targeting botnet requires three organizations to simultaneously strike four independent command and control channels, that is a measure of how seriously adversaries have invested in compromising the people who build software. Glassworm’s operators layered Solana blockchain dead drops and BitTorrent alongside legitimate services like Google Calendar, building infrastructure designed to survive exactly this kind of operation. This coordination sets a model for how the security community should respond to entrenched supply chain threats. Precision and partnership delivered operational results without years of judicial process.
“Disruption buys defenders a window. It does not reverse more than a year of credential theft. Glassworm used credentials stolen in earlier infections to poison over 300 GitHub repositories, the same cascading pattern the industry has tracked across multiple supply chain campaigns this year. Any organization consuming open source software should be checking telemetry against the published indicators now, not waiting for a downstream compromise to surface the exposure.
“Glassworm did not operate in isolation. It ran alongside multiple supply chain campaigns targeting the same developer ecosystems over the same timeframe, including the Shai-Hulud worm and the Megalodon GitHub poisoning disclosed days ago. The volume and persistence of these operations make the case that developer environments and build pipelines require the same zero trust posture organizations have spent a decade applying to users and networks. Any organization that treats its build infrastructure as implicitly trusted is operating on assumptions that adversaries have already invalidated.”
Noelle Murata, Chief Operating Officer at Xcape, Inc.
“The coordinated takedown of the Glassworm botnet by CrowdStrike, Google, and Shadowserver highlights a massive paradigm shift: threat actors are aggressively targeting the software developer’s workstation as the ultimate enterprise entry point. By targeting IDE marketplaces, package registries, and GitHub repositories rather than traditional corporate networks, the operators behind Glassworm turned infected developer environments into automated launchpads for broader downstream supply chain contamination.
“What makes this campaign uniquely menacing is the extreme, multi-layered resilience of its command-and-control (C2) architecture. By hiding C2 infrastructure across the Solana blockchain, the BitTorrent peer-to-peer network, and public Google Calendar entries, the attackers built a decentralized dead-drop engine that could not be dismantled by traditional domain sinkholing or legal hosting takedowns. The fact that defenders had to execute a flawless, simultaneous strike across all four independent technical vectors proves that legacy, siloed perimeter defense is structurally obsolete when fighting a decentralized adversary.
“For enterprise risk leaders, the Glassworm disruption is a severe warning that developer environments must be treated as highly privileged, zero-trust zones. To defend against this evolving threat landscape, security executives must immediately enforce strict application control policies on developer IDE extensions, audit code pipelines for unauthorized package installs executing via post-install hooks, and continuously monitor for suspicious, outbound programmatic access to public infrastructure.
“Critical Takeaways
- “Targeting the pipeline creators: Adversaries are bypassing heavily defended enterprise production environments to compromise developers directly, leveraging their local code-signing access and platform credentials to seamlessly poison entire downstream software lifecycles.
- “The resilience of decentralized C2: Utilizing immutable blockchain ledger memo fields and decentralized peer-to-peer hash tables means attackers can permanently maintain connectivity to infected assets without relying on central, tear-down-vulnerable web domains.
- “Takedowns are a temporary shield: While disabling the current infrastructure disrupts immediate payload delivery, it does not erase the thousands of malicious, typosquatted npm/PyPI packages and poisoned source files that remain dormant across the broader public code ecosystem.
“When a botnet embeds its command architecture into public blockchains and peer-to-peer networks, traditional security boundaries cease to exist. You aren’t just fighting a group of hackers anymore; you are fighting a permanent, decentralized exploit of the internet’s own infrastructure.”
FBI, Google And Black Lotus Labs Take Down Chinese Based Phishing As A Service Operation
Posted in Commentary with tags Black Lotus, FBI, Google on June 15, 2026 by itnerdIt has been reported that in a coordinated effort, the FBI, working with Google and Black Lotus Labs, has dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise with thousands of phishing websites used to steal credit card data and passwords.
You can find the full story here: https://www.bleepingcomputer.com/news/security/fbi-disrupts-massive-ai-powered-phishing-service-using-a-million-urls/
Commenting on this is Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Outsider Enterprise was dismantled, but no one was arrested, and only a hundred thousand dollars was recovered out of the billions it stole. What’s notable here is that there was no involvement with Chinese authorities. Until we have stronger international cooperation and enforcement, nothing is stopping these scammers from rebuilding and committing more crimes. This is especially true for adversarial countries like China and Russia, from which we cannot extradite criminals. Scammers and other cybercriminals can operate from those countries with impunity, so long as they don’t attack domestic targets.”
While this is positive, there needs to be much more of this sort of thing. This has to be unprofitable for threat actors, which will make them stop what they’re doing.
Leave a comment »