Glassworm, a botnet that weaponised trusted developer tools to poison hundreds of GitHub repositories with malicious code, was knocked out in a coordinated operation by CrowdStrike, Google, and the Shadowserver Foundation. The takedown occurred on 26 May and struck all command-and-control channels simultaneously, cutting operators off from their bots and halting new malicious payload delivery. The operation emphasized that the threat extends beyond botnets, because adversaries target developers who build software rather than only products. For nearly 18 months, operators targeted developers with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries. Compromising a single developer workstation could enable large-scale supply chain compromise affecting many downstream organizations, potentially leading to data theft and extortion. No publicly known supply chain incidents were attributed to Glassworm.
"“This takedown matters beyond the botnet,” CrowdStrike's Counter Adversary Operations Team said in a blog detailing the operation. "Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organisation that ships or consumes software. Adversaries are no longer just targeting products, they're targeting the developers who build them.""
"For almost 18 months, the operators of Glassworm systematically targeted developers with access to source code repositiories, cloud platforms, continuous integration and deployment/delivery (CI/DC) pipelines and package registries. Such individuals are "uniquely high-value targets", said CrowdStrike, because in compromising a single open source developer's workstation, Glassworm's operators could - in the right circumstances - orchestrate a major supply chain compromise, opening up access to thousands of downstream user organisations and exposing them to compromise and, potentially, data theft and extortion."
"The takedown, which occurred on the afternoon of 26 May, saw all of Glassworm's command and control (C2) channels struck simultaneously, cutting its operators off from their army of bots and halting their ability to deliver new malicious payloads."
"The botnet's operators conducted an extensive and multifaceted campaign in which they published trojanised VSCode extensions to the OpenVSX marketplace disguised as useful tools such as time trackers or code formatters. Besides the VSCode editor, these extensions also targeted tools such as Cursor, Positron, Windsurf and VSCodium."
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]