CrowdStrike and Google take down botnet used by hackers to target open source software developers
Source: TechCrunch
CrowdStrike, working with Google and the nonprofit Shadowserver, took down a botnet that cybercriminals used to push malware and steal passwords from open‑source software developers.
Takedown Operation
The takedown operation aimed to disrupt the activities of the Glassworm botnet, which has been targeting the broader open‑source software supply chain for two years, according to CrowdStrike.
Threat Landscape
In recent months, several hacking groups have targeted developers and open‑source projects to inject malicious software into the supply chain. These attacks exploit the trust that companies place in code hosted on platforms like GitHub and the developers behind that code.
“Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike wrote. “Developers represent uniquely high‑value targets: compromising a single developer’s workstation can cascade into a supply‑chain compromise that impacts thousands of downstream organizations and users.”
Attack Methods
Glassworm employed multiple strategies to distribute malicious code:
- Publishing malicious extensions on a marketplace used by developers.
- Malvertising—paying for sponsored search results that trick victims into downloading malware.
- Using credentials stolen in previous hacks to hijack developer accounts and plant malware in their code.
As a result, the hackers poisoned more than 300 GitHub repositories.
Command‑and‑Control Disruption
CrowdStrike reported taking down four command‑and‑control (C2) channels used by Glassworm, cutting the hackers’ access to infected computers and stopping further malware delivery. The C2 infrastructure relied on:
- The Solana blockchain
- The BitTorrent peer‑to‑peer network
- Google Calendar
- Virtual private servers
Related Supply‑Chain Incidents
- Last week, hackers compromised several open‑source projects, pushing malicious updates in a campaign dubbed “Mini Shai‑Hulud.”
- At least two OpenAI developers were compromised by this group.
- In March, a suspected North Korean actor hijacked the popular open‑source development tool Axios, used by millions of developers.
References
- Inside CrowdStrike: Takedown of a Developer‑Targeting Botnet
- Hackers have compromised dozens of popular open‑source packages in an ongoing supply‑chain attack
- OpenAI says hackers stole some data after latest code security issue
- Hacker hijacks Axios open‑source project used by millions to push malware