The Glassworm botnet, which has targeted developers through supply-chain attacks since October 2025, has been disrupted after researchers cut off four resilient command-and-control channels built on Solana blockchain transactions and BitTorrent DHT—along with
For months, Glassworm has been built to survive the kind of takedowns defenders usually rely on. This time, researchers didn’t try to knock out one weak link. They attacked the botnet’s entire command-and-control system at once.
The disruption followed a coordinated operation conducted yesterday by CrowdStrike, Google, and The Shadowserver Foundation. The goal was blunt: cut off four distinct command-and-control channels that the Glassworm operators designed to resist conventional disruption efforts. With access to those channels removed simultaneously, infected machines can no longer receive new instructions or payloads.
Glassworm’s campaigns have been ongoing since October 2025, and the targeting has been aimed squarely at the developer ecosystem. Early activity involved malicious OpenVSX and Microsoft VS Code extensions that stole cryptocurrency wallets and developer credentials. Later attack waves moved into GitHub repositories and npm packages, including a March campaign that impacted more than 400 software artifacts.
In the most recent pattern described by researchers. Glassworm operators planted dozens of dormant extensions on OpenVSX designed to activate the malicious component after an update. The approach helped the threat stay quiet until the right moment. but it also meant the botnet’s operators needed a reliable way to keep control running in the background.
That’s where Glassworm’s communications design became the defining problem—and the decisive opportunity. CrowdStrike says the command-and-control setup leaned on non-traditional communication layers designed to be hard to take down. The threat’s “resilient” architecture mixed blockchain. peer-to-peer. and legitimate web services as “resolution layers. ” creating a structure that hid the actual command-and-control servers behind multiple layers of indirection.
The researchers describe it as a resilience plan in plain terms: “Glassworm’s operators built their infrastructure for resilience,” and disrupting a single channel wouldn’t meaningfully stop operations because communications could be shifted elsewhere.
To prevent that bounce-around behavior, the operation had to hit all four command-and-control channels at the same time:
First, Solana blockchain transactions were used as a dead drop. Glassworm encoded C2 server addresses in the memo fields of blockchain transactions, creating an immutable, publicly accessible location that conventional takedowns can’t simply take offline.
Second, the BitTorrent Distributed Hash Table (DHT) was used for configuration retrieval. GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys—built on a decentralized network with no single point of failure.
Third, a public calendar service served as another dead-drop layer. Glassworm used Google Calendar event titles as locations containing Base64-encoded C2 paths.
And finally, direct server connections were the last mile. Traditional C2 infrastructure hosted on commercial VPS providers delivered the payload.
With that setup, the botnet could keep operating even if one part went dark. That’s exactly why the takedown targeted everything at once. CrowdStrike says all four channels had to be disrupted simultaneously in a coordinated effort. and as a result. infected machines can no longer receive new instructions or payloads.
After the disruption, researchers say all machines compromised in a Glassworm attack are beaconing to the IP address 164.92.88[.]210 operated by CrowdStrike. Organizations are advised to look for this network indicator and take immediate remediation action.
The same effort also included guidance for defenders beyond indicators alone: researchers have published YARA rules to confirm infections on suspected hosts.
Glassworm botnet command-and-control Solana blockchain BitTorrent DHT OpenVSX VS Code extensions developer credentials supply-chain attacks YARA rules CrowdStrike Shadowserver remediation indicator 164.92.88.210
So they “cut off” Solana and it fixes everything? Cool story.
I swear this is why my crypto always gets weird. They say it hit developers but I’m the one reinstalling apps all the time. Four channels sounds like they just found four ways to scam people, not end it.
Wait I thought BitTorrent DHT is like how pirates find stuff? So basically they used piracy tech to hack people’s wallets through VS Code extensions? I don’t even code and I’m still stressed now. Also “dormant extensions” sounds like it’s still there, just waiting, right?
This reads like a super coordinated attack by big companies but also somehow the hackers are always one step ahead. CrowdStrike and Google did a takedown, but if it was on GitHub and npm… isn’t that just gonna pop up again as a new package name? Like how many times can they “cut off channels” before the whole internet is basically compromised? Idk I’m not technical but the headline makes it sound successful, yet I don’t trust it.