CrowdStrike and Google take down botnet used by hackers to target software developers in supply chain attacks
Source: TechCrunch
Overview
CrowdStrike, working with Google and the nonprofit Shadowserver, took down a botnet that cybercriminals used to push malware and steal passwords from open‑source software developers. The operation targeted the Glassworm botnet, which has been compromising the broader open‑source software supply chain for two years.
Takedown Operation
The takedown operation aimed to disrupt the activities of the Glassworm hackers. According to CrowdStrike, these adversaries have been targeting developers rather than just products, recognizing that compromising a single developer’s workstation can cascade into a supply‑chain breach affecting thousands of downstream organizations and users.
Attack Strategies
Glassworm employed several tactics to distribute malicious code:
- Publishing malicious extensions on a marketplace used by developers.
- Malvertising: paying for sponsored search results that trick victims into downloading malware.
- Using credentials stolen in previous hacks to hijack developer accounts and plant malware in their code.
As a result, the hackers poisoned more than 300 GitHub repositories.
Command‑and‑Control Takedown
CrowdStrike reported the takedown of four command‑and‑control (C2) channels used by Glassworm, cutting off the hackers’ access to infected machines and halting further malware delivery. The C2 infrastructure relied on:
- The Solana blockchain
- The BitTorrent peer‑to‑peer network
- Google Calendar
- Virtual private servers
Related Supply‑Chain Incidents
- Last week, hackers compromised several open‑source projects, pushing malicious updates in a campaign dubbed “Mini Shai‑Hulud.” An OpenAI developer was among those affected.
- In March, a suspected North Korean actor hijacked the popular open‑source development tool Axios, used by millions of developers. See the report here.