CrowdStrike and Google dismantle botnet targeting open source developers
▼ Summary
– CrowdStrike, Google, and the nonprofit Shadowserver dismantled the Glassworm botnet, which targeted open source developers to steal passwords and push malware.
– The Glassworm group had targeted the open source software supply chain for two years, compromising over 300 GitHub repositories.
– Attackers used methods such as publishing malicious developer extensions, malvertising, and hijacking accounts with stolen credentials to spread malware.
– CrowdStrike took down four command-and-control channels that relied on Solana blockchain, BitTorrent, Google Calendar, and virtual private servers, cutting the hackers’ access to infected systems.
– The legal or technical authority for the takedown was not disclosed, as CrowdStrike declined to comment beyond its blog post.
A coordinated effort between CrowdStrike, Google, and the nonprofit Shadowserver has successfully dismantled a botnet used by cybercriminals to distribute malware and steal credentials from open source software developers. The operation targeted the infrastructure behind the so-called Glassworm botnet, which has been active for roughly two years, according to CrowdStrike’s findings.
Over the past several months, multiple hacking groups have increasingly focused on developers and open source projects as a vector for injecting malicious code into downstream organizations. These attacks exploit the inherent trust companies place in code hosted on platforms like GitHub, as well as the developers who maintain it. As CrowdStrike emphasized in its report, “Adversaries are no longer just targeting products, they’re targeting the developers who build them.” The firm further explained that compromising a single developer’s workstation can trigger a supply-chain compromise, potentially affecting thousands of organizations and users downstream.
The Glassworm hackers employed a variety of tactics to distribute their malicious payloads. They published harmful extensions on developer marketplaces, used malvertising to trick victims into downloading malware via sponsored search results, and leveraged credentials stolen from previous breaches to hijack developer accounts and inject malware into code. Ultimately, the group managed to poison more than 300 GitHub repositories.
CrowdStrike reported that it neutralized four command-and-control channels used by the hackers, effectively cutting off access to infected machines and halting further malware delivery. These channels relied on diverse infrastructure, including the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers.
It remains unclear what legal or technical authority CrowdStrike and its partners used to execute the takedown. When asked by TechCrunch, CrowdStrike spokesperson Kirsten Speas declined to elaborate beyond the company’s published blog post.
This takedown follows a separate incident last week, where hackers compromised several open source projects and pushed malicious updates in a campaign dubbed “Mini Shai-Hulud.” At least two OpenAI developers were affected by that attack. In March, a suspected North Korean hacker hijacked the popular open source tool Axios, which is used by millions of developers worldwide, in another supply chain breach.
(Source: TechCrunch)
