CrowdStrike, Google, and the Shadowserver Foundation have disrupted all command-and-control channels used by the GlassWorm botnet this month [1], [2], [3].

This takedown halts a persistent campaign that specifically targeted open-source developers to compromise the software supply chain. By dismantling the infrastructure, the coalition has prevented the malware from receiving instructions or exfiltrating data from infected systems.

The GlassWorm campaign began in early 2025 [1]. Since its inception, the botnet poisoned more than 300 GitHub repositories [1]. These repositories served as vectors to deliver malware to developers, who then inadvertently integrated malicious code into their own projects.

The botnet was noted for its resilient infrastructure, which utilized four distinct command-and-control channels [3]. These channels spanned diverse digital environments, including GitHub repositories, the Solana blockchain, and the BitTorrent DHT network [2], [3], [5].

By coordinating across these different platforms, the attackers attempted to ensure that the botnet would remain operational even if individual servers were seized. The joint operation by the security firms and the Shadowserver Foundation successfully neutralized all four pathways [3], effectively smashing the infrastructure to pieces [5].

This operation marks a significant effort to protect the integrity of open-source software. Because developers trust these repositories, a single poisoned project can lead to thousands of downstream infections across the global software ecosystem [4].

The botnet poisoned more than 300 GitHub repositories.

The disruption of GlassWorm highlights a growing trend of 'resilient' malware that leverages decentralized technologies like blockchains and DHT networks to avoid single points of failure. The necessity of a multi-organizational coalition to dismantle these channels suggests that traditional single-firm responses are becoming insufficient against modern supply-chain threats.