GlassWorm Developer Supply-Chain Botnet Takedown | Halting Problems<br>♥ Help support the site<br>btc bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 Copy
eth 0x71faaDcAF2538e7346885F772FBAcb88740059A8 Copy
xmr 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP Copy
On this page 0% read Executive Summary
On 2026-05-26 at 14:00 UTC, CrowdStrike says it coordinated with Google and the Shadowserver Foundation to disrupt the GlassWorm botnet’s command-and-control channels, cutting infected developer machines off from new operator instructions and payload delivery CrowdStrike. The takedown does not prove that infected hosts are clean. It gives defenders a short containment window to find developer workstations, CI runners, and build boxes that installed GlassWorm-linked extensions or packages.
GlassWorm is a developer-tooling supply-chain campaign. CrowdStrike describes trojanized VS Code-compatible extensions, malicious npm and Python packages, and more than 300 poisoned GitHub repositories created or modified with previously stolen developer credentials CrowdStrike. Socket’s April 2026 research adds the clearest registry-level detail: a cluster of 73 Open VSX impersonation extensions, including activated hosts that used extensionPack transitive delivery, bundled native .node installers, or obfuscated JavaScript to retrieve VSIX payloads from GitHub Socket.
Treat any confirmed GlassWorm hit as a developer identity incident, not just malware cleanup. The affected endpoints can hold GitHub, npm, Open VSX, SSH, cloud, Kubernetes, package-registry, AI-tooling, and wallet credentials.
Key Facts
threat_type: "developer tooling supply-chain botnet"<br>ecosystems:<br>- "Open VSX"<br>- "VS Code-compatible extension marketplaces"<br>- "npm"<br>- "PyPI / Python packages"<br>- "GitHub repositories"<br>first_seen: "at least early 2025"<br>disruption_time_utc: "2026-05-26T14:00:00Z"<br>primary_targets:<br>- "software developer workstations"<br>- "CI/CD runners"<br>- "source-code repositories"<br>- "package registry publisher accounts"<br>execution_paths:<br>- "Open VSX extension activation"<br>- "VS Code-compatible IDE extension installation"<br>- "npm postinstall hooks"<br>- "Python setup scripts"<br>- "poisoned repository code changes"<br>confirmed_malicious_extensions:<br>- "outsidestormcommand.monochromator-theme"<br>- "keyacrosslaud.auto-loop-for-antigravity"<br>- "krundoven.ironplc-fast-hub"<br>- "boulderzitunnel.vscode-buddies"<br>- "cubedivervolt.html-code-validate"<br>- "winnerdomain17.version-lens-tool"<br>activated_april_29_hosts:<br>- "drobnyak.angular-auto-helper"<br>- "galushko.vsclassic-auto-pilot"<br>- "gusarev.mermaid-super-studio"<br>- "lavrentev.project-live-studio"<br>- "lesnitsky.tikbook-easy-lens"<br>- "mashulin.vue-easy-studio"<br>- "mitrokhin.vsc-easy-studio"<br>- "mlechevik.nunjucks-rich-pilot"<br>- "mokridin.material-pro-suite"<br>- "ovchinin.markdown-live-craft"<br>- "peschanov.dbcode-smart-suite"<br>- "platarov.podmanager-pro-craft"<br>- "polikash.pretty-deep-kit"<br>- "porzhnev.swiftformat-deep-hub"<br>- "smolyak.slog-smart-studio"<br>- "svetelin.industrious-live-hub"<br>- "tarasenya.todo-rich-hub"<br>hashes:<br>- "1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168"<br>- "4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd"<br>- "97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd"<br>network_iocs_defanged:<br>- "164.92.88[.]210"<br>- "github[.]com/SquadMagistrate10/wnxtgkih"<br>- "github[.]com/francesca898/dqwffqw"<br>- "github[.]com/ColossusQuailPray/oiegjqde"<br>confidence: "high"<br>last_verified: "2026-05-27"<br>Source Confidence & Evidence Mapping
confirmed: CrowdStrike states that the GlassWorm botnet disruption occurred on 2026-05-26 at 14:00 UTC with Google and Shadowserver cooperation CrowdStrike.
confirmed: CrowdStrike describes four C2 resolution channels: Solana transaction memos, BitTorrent DHT, Google Calendar event titles, and direct server connections CrowdStrike.
confirmed: Socket identifies 73 Open VSX impersonation extensions and an April 29 activation wave involving 23 new versions across 22 copycat extensions Socket.
confirmed: Socket lists native installer hashes, a downloaded VSIX payload hash, GitHub payload-hosting repositories, six confirmed malicious extensions, and 17 activated April 29 host extensions Socket.
likely: Any developer endpoint that ran a malicious extension should be treated as a credential exposure point even if the post-disruption C2 no longer responds.
unclear: The complete downstream victim count and every poisoned repository are not publicly enumerated.
Impact Determination
ClassificationCriteriaRequired evidenceRequired actionClosure conditionConfirmed compromiseHost installed a confirmed malicious extension, executed a GlassWorm package hook, matched a listed payload hash, or connected to the CrowdStrike-operated sinkhole address after disruption.Extension inventory, package-manager logs, endpoint file hashes, process telemetry, DNS/proxy/firewall logs, and preserved IDE extension directories.Isolate the host, preserve disk...