Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

CrowdStrike executed a coordinated takedown of the Glassworm botnet on May 26, 2026, which had been targeting software developers through the open-source supply chain. This global operation, conducted in collaboration with Google and the Shadowserver Foundation, simultaneously disrupted all four of Glassworm's command-and-control channels, effectively preventing the botnet from delivering new malicious payloads. Glassworm's sophisticated infrastructure relied on resilient channels, including blockchain and peer-to-peer networks, to avoid traditional takedown efforts, highlighting a significant shift in the threat landscape where adversaries target developers rather than just products. The campaign underscored the vulnerabilities in software supply chains, as attackers leveraged compromised developer tools and credentials to execute supply-chain compromises affecting numerous organizations. The operation sets a precedent for proactive and collaborative disruption of cyber threats, emphasizing the need for ongoing vigilance and collaboration among security vendors, law enforcement, and tech companies to mitigate the risks posed by such sophisticated cyber threats.