What Happened
On May 26, 2026, at 14:00 UTC, CrowdStrike’s Counter Adversary Operations team — working with Google and the Shadowserver Foundation — executed a simultaneous takedown of all four command-and-control channels used by the GlassWorm botnet. The coordinated operation was necessary because taking down any single channel would have left the others operational, allowing attackers to quickly reconstitute.
GlassWorm is a developer-targeting supply chain campaign active since at least early 2025. Its operators built resilient C2 infrastructure across four separate layers: Solana blockchain transactions, the BitTorrent distributed hash table (DHT), a public calendar service, and direct connections to commercial VPS servers. This design was built to survive partial takedowns. According to The Hacker News, the campaign infected machines via malicious OpenVSX and VS Code extensions targeting developer credential and cryptocurrency wallets, then expanded to GitHub repositories and npm packages, with one wave in March 2026 compromising more than 400 software artifacts.
Infected machines now beacon to 164.92.88[.]210, a CrowdStrike-operated sinkhole. Organizations should treat connections to this IP as an indicator of compromise.
Why This Matters for Canadian Organizations
Canadian software development teams at technology companies, government digital services, financial institutions, and SaaS providers are directly in GlassWorm’s target profile. The botnet’s focus on developers with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries makes a single developer infection potentially catastrophic for an entire organization. One compromised developer credential in a Canadian federal digital services team, for example, gives attackers access to government source code and cloud infrastructure. For Canadian organizations subject to OSFI Guideline B-13 on technology and cyber risk, the supply chain exposure GlassWorm represents — third-party npm packages and VS Code extensions used in production CI/CD pipelines — is a key third-party risk vector that requires active monitoring.
The takedown disrupts current operations but does not eliminate the threat. Prior GlassWorm infections remain active until remediated. The malware’s stolen credentials — including GitHub tokens, AWS keys, and Kubernetes configuration files — may already be in use or for sale.
What to Do
Review network logs and endpoint telemetry for outbound connections to 164.92.88[.]210. Audit VS Code and OpenVSX extensions installed across developer workstations — remove any unrecognized or unverified extensions immediately. Scan npm packages in your dependency tree against known GlassWorm indicators, including the previously identified artifacts from the March 2026 campaign. Rotate any GitHub tokens, AWS access keys, Kubernetes credentials, and cloud service API keys held by developers who used VS Code with unverified extensions over the past 12 months. Enable npm audit and enforce a policy requiring package signature verification in your CI/CD pipelines. Report confirmed compromises to the Canadian Centre for Cyber Security at cyber.gc.ca.
