Overview
- The takedown, which took place Tuesday, May 26, 2026, was coordinated by CrowdStrike with Google and the Shadowserver Foundation and redirected infected hosts to a CrowdStrike‑operated IP (164.92.88[.]210) for detection.
- Glassworm used a four‑channel C2 architecture—Solana blockchain memo fields, the BitTorrent DHT, Google Calendar event titles, and VPS servers—so all channels had to be disrupted at once to stop reconstitution.
- Operators spread malware through trojanized VS Code extensions, compromised npm and PyPI packages, and credential theft that forced malicious commits into more than 300 GitHub repositories.
- The core malware, GlasswormRAT, ran on Windows, macOS, and Linux and stole developer credentials, drained crypto extensions, and created SOCKS proxies and hidden VNC access for remote control.
- CrowdStrike published indicators and YARA rules to help hunts and remediation but warned the takedown only buys time and that lasting safety requires platform fixes, hardened developer environments, and sustained cross‑sector pressure.