DEV Community

Cover image for GlassWorm Malware Infrastructure Disrupted in Major Supply Chain Takedown
IntelligenceX
IntelligenceX

Posted on

GlassWorm Malware Infrastructure Disrupted in Major Supply Chain Takedown

Cybersecurity researchers have announced a major disruption operation targeting GlassWorm, a persistent malware campaign focused on software developers and open-source ecosystems. The coordinated effort, carried out with support from multiple security organizations, reportedly disabled all known command-and-control channels used by the malware operation.

GlassWorm has been actively targeting developers since at least early 2025 through malicious npm packages, infected Python libraries, and trojanized VS Code extensions. The campaign affected users not only on Microsoft Visual Studio Code but also on popular VS Code-based platforms such as Cursor, Windsurf, VSCodium, and Positron.

Researchers say the attackers focused heavily on compromising developer environments because access to source code repositories, package registries, CI/CD pipelines, and cloud platforms can create large downstream supply chain risks.

The malware was designed to steal developer credentials, browser data, cryptocurrency wallets, and authentication tokens linked to platforms like GitHub, npm, and OpenVSX. In later stages of the campaign, infected systems were reportedly transformed into covert infrastructure capable of supporting remote access, proxy services, hidden virtual network computing (HVNC), and further malware propagation.

One of the most advanced aspects of the operation was its resilient command-and-control architecture. Researchers observed GlassWorm using multiple communication channels simultaneously, including the Solana blockchain, BitTorrent Distributed Hash Table (DHT), Google Calendar events, and commercial VPS infrastructure. These layers were designed to make takedown efforts significantly more difficult.

Investigators believe more than 300 GitHub repositories may have been compromised through stolen developer credentials during the campaign.

Following the coordinated disruption, infected systems are reportedly no longer able to receive new commands or malware payloads through the previously active infrastructure. However, researchers warn that the threat actors behind GlassWorm remain highly capable and may attempt to rebuild their infrastructure using new techniques.

The incident once again highlights the growing cybersecurity risks surrounding software supply chain attacks and open-source ecosystems. As attackers increasingly target developers instead of end users directly, compromised tools and dependencies can quickly impact thousands of downstream organizations.

Cybersecurity-focused organizations like IntelligenceX continue to emphasize secure development practices, dependency monitoring, credential protection, and CI/CD security as critical defenses against modern supply chain threats.

Top comments (0)