CrowdStrike and Google dismantle Glassworm botnet that targeted developers and drained crypto wallets

The botnet used Solana blockchain infrastructure for command-and-control operations while siphoning funds from dozens of cryptocurrency wallet extensions.

Share

Add us on Google by Editorial Team May. 27, 2026

A coordinated operation by CrowdStrike, Google, and the Shadowserver Foundation has taken down the Glassworm botnet, a sophisticated malware network that embedded itself in open-source software projects to hack developers and steal cryptocurrency. The takedown, executed on May 26, disrupted all four of the botnet’s command-and-control channels simultaneously.

How Glassworm operated

The botnet maintained four separate command-and-control channels using the Solana blockchain, Google Calendar, BitTorrent DHT, and commercial VPS servers. If one channel got shut down, the malware could fall back to the others.

The malware, dubbed GlasswormRAT, first surfaced in October 2025 when security firm Koi Security discovered it lurking on the OpenVSX marketplace. By early 2026, GlasswormRAT had infiltrated the official VS Code extension store, npm, PyPI, and over 300 GitHub repositories.

Advertisement

Developers would install what appeared to be legitimate packages or editor extensions. The malicious code then went to work stealing credentials from development platforms. GlasswormRAT also targeted dozens of cryptocurrency wallet browser extensions, quietly siphoning funds from the wallets of developers who happened to hold digital assets.

The malware ran on Windows, macOS, and Linux. It even targeted newer code editors like Cursor and Windsurf alongside VS Code. The attribution trail points toward a Russia-based group, and among the evasion techniques employed was the use of invisible Unicode characters to obfuscate malicious code within otherwise normal-looking packages.

The Solana connection

Rather than relying solely on traditional servers that can be seized or blocked, the botnet operators stored encoded instructions on-chain. Because blockchain transactions are immutable and publicly accessible, the malware could read its instructions from Solana without ever connecting to a suspicious server.

What this means for crypto holders and developers

For projects that rely heavily on open-source dependencies, the Glassworm incident underscores the fragility of the trust model. npm alone hosts over a million packages, and the fact that malicious packages reached official stores means that simply sticking to “trusted” sources wasn’t enough protection.

CrowdStrike’s stated goal with the takedown was to raise the operational costs for the adversaries behind Glassworm. Disrupting all four C2 channels simultaneously means the operators can’t simply switch to a backup and would need to rebuild significant infrastructure from scratch.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.