Code breaks trust. When companies install an update, they believe the author is who they say they are. They assume the repository on GitHub is safe. Hackers know this. They stopped attacking the software. Now they hunt the humans who build it.
CrowdStrike joined forces with Google and the nonprofit Shadowserver to dismantle the Glassworm botnet. For two years these criminals targeted the open source supply chain. The goal? Pushing malware and stealing passwords.
Adversaries realized something simple. Attack the developer and you compromise everything. A single hijacked workstation ripples outward. It touches thousands of downstream organizations. It touches millions of users.
“Adversaries are no longer just target products, they’re target the developers who build them”
Glassworm was slick. Or maybe just persistent. They used whatever worked. Sometimes malvertising—paying for fake search results to trick downloads. Other times they reused credentials stolen from earlier breaches. This allowed them to log in as real devs and inject code directly into trusted projects.
They even published malicious extensions on developer marketplaces. A multi-front war. And they won some battles. More than 30 GitHub repositories got poisoned. The damage spread fast.
The shutdown happened quickly. CrowdStrike cut four command-and-control channels. That severed the link to infected computers. The bleeding stopped.
How did the botnet communicate? In clever places.
– The Solana blockchain
– BitTorrent peers
– Google Calendar
– Virtual private servers
Hidden in plain sight. You check your calendar and there it is—a malicious instruction set.
Did anyone ask for permission to pull the plug? Unclear. When pressed, CrowdStrike offered no extra details beyond their public report. Silence where legal clarity usually lives.
This isn’t an isolated incident. Just last week, a separate group called “Mini Shai-Hulid” compromised several projects. They pushed bad updates. Two OpenAI devs fell victim. Before that, in March, a tool called Axios—used by millions—was hijacked, allegedly by North Korean hackers.
Why does this keep happening? Because open source runs the modern internet. And trust is the only firewall. Until that changes, devs will stay in the crosshairs. The code is just the vehicle.
