A major cybersecurity operation has disrupted the infrastructure behind the GlassWorm malware campaign. The operation was carried out by CrowdStrike, Google, and the Shadowserver Foundation. Security researchers said the malware mainly targeted software developers through infected VS Code extensions. The malicious extensions were uploaded to developer marketplaces to trick users into installing them.

GlassWorm became dangerous because it focused on software supply chain attacks instead of direct attacks. Once installed, the malware secretly collected important developer credentials and system information. Researchers said stolen data included GitHub credentials, npm authentication tokens, and Git-related information. The attackers then used these credentials to spread the malware further into other repositories.

According to reports, more than 300 GitHub repositories were affected during the campaign. The attackers reportedly poisoned repositories using stolen developer accounts and compromised systems. This made the malware a serious threat because infected repositories could affect many users. Security researchers warned that one compromised developer account can impact a much larger software ecosystem.

One of the most advanced parts of GlassWorm was its hidden communication infrastructure. Instead of using normal servers, the malware used multiple technologies to avoid detection. Researchers found that it used the Solana blockchain, BitTorrent Distributed Hash Table, and Google Calendar event titles. Commercial VPS hosting services were also reportedly used as part of the infrastructure.

Security experts explained that these communication methods made the malware difficult to shut down. Traditional malware operations usually depend on central servers that can be blocked or removed. GlassWorm used decentralized communication systems, making takedown operations more complicated. Researchers described the malware as highly persistent because of this unusual setup.

The malware also reportedly turned infected systems into hidden attack infrastructure for cybercriminals. Compromised devices could function as SOCKS proxy servers and hidden remote-control systems. Researchers also found remote execution capabilities inside the malware operation. This allowed attackers to route malicious traffic through infected machines while hiding their real identity and location.

CrowdStrike stated that the coordinated operation successfully disrupted all four communication channels used by GlassWorm. Researchers said infected systems can no longer receive instructions from the attackers through the disrupted infrastructure. This significantly reduced the malware’s ability to continue spreading or download additional payloads. The takedown operation is being seen as an important win against software supply chain threats.

Researchers also believe the people behind GlassWorm may be Russian-speaking cybercriminals. Reports mentioned that Russian-language comments were found inside parts of the malware code. The malware reportedly avoided running on systems located in Commonwealth of Independent States countries. Security experts say the incident highlights the growing risks connected to third-party developer tools and software supply chain security.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news