Skip to main content
Book a Demo

Biggest Takedown of 2026 to Date? Glassworm: Targeting Developers at Scale

Gadi Evron
by Gadi Evron
28 May 2026
3 mins read

Contents

 

💡 Kirin runs in the developer's IDE and blocks malicious extensions and packages before they execute. Try it free for up to 5 licenses.

What happened

On May 26, 2026, CrowdStrike's Counter Adversary Operations team, in coordination with Google and the Shadowserver Foundation, disrupted Glassworm, a botnet that had been running against software developers since at least early 2025. CrowdStrike struck all four of Glassworm's command-and-control channels simultaneously: a Solana-blockchain dead-drop, a BitTorrent DHT lookup, Google Calendar event titles, and the conventional VPS infrastructure behind them. Infected machines can no longer receive new payloads.

It is one of the more interesting takedowns of the year, and a meaningful piece of work. It also tells every CISO something specific about where the next attack will come from.

 

Developers are the target

The operators behind Glassworm did not pick their victims at random. They systematically targeted software developers, a population that holds source code, cloud credentials, CI/CD secrets, package-registry tokens, and SSH keys, often all on the same laptop. One compromised developer cascades into a supply-chain compromise that reaches every customer downstream.

Glassworm's vectors map cleanly to a modern engineering workstation:

  • Trojanized VS Code extensions published to OpenVSX, masquerading as time trackers and code formatters, targeting not only VS Code but Cursor, Positron, Windsurf, VSCodium, and the broader IDE family.
  • Compromised npm and Python packages, running attacker code through postinstall hooks and setup scripts at dependency-install time, with no user prompt.
  • More than 300 poisoned GitHub repositories, with malicious code force-pushed into default branches using credentials harvested from earlier Glassworm infections.

The botnet ran cross-platform on Windows, macOS, and Linux. It deployed an information stealer, a credential harvester, and a full-featured Node.js remote access tool dubbed GlasswormRAT. Over the course of more than a year, the operators rotated their implementation from JavaScript to Rust to Zig and cycled through package ecosystems faster than the ecosystems could respond.

This is the new shape of supply-chain risk. Not "the dependencies in your production build." Every IDE, every extension, every MCP server, every npm and PyPI package on every engineer's laptop in your company.

 

The takedown is a reprieve, not a cure

CrowdStrike was direct about this in their report, and it is worth quoting:

Defending against these threats through after-the-fact detection alone is virtually impossible. Malicious packages are installed through dependency updates in seconds, and detections usually happen when the harm is already done.

The Glassworm operators are well-resourced. They built their C2 across blockchain, peer-to-peer, and legitimate web services specifically to survive takedowns. They have shifted programming languages three times. They will likely reconstitute. And the next campaign ( Shai-Hulud, TeamPCP, whatever name attaches to it) will use the same playbook against the same population.

What changes the picture is not faster takedowns. It is moving the defense to where the malicious code actually executes: inside the developer's IDE.

 

How Kirin defends

Kirin runs in the developer's IDE (Cursor, Claude Code, VS Code) and inspects dependencies, extensions, and MCP connections in real time. Against a campaign with Glassworm's exact shape, Kirin is the inline brake.

Trojanized extensions in the IDE. Kirin inspects Cursor extensions and MCP connections at install and at activation. An extension that fetches and runs code from an external location on startup is the exact behavior Kirin is designed to recognize and block. Glassworm's primary entry path runs through this surface.

Compromised packages surfaced through the assistant. Kirin observes the dependencies the AI assistant is about to introduce, inspects them in real time, and blocks unsafe behavior before it lands. The "thousands of victims within minutes" window CrowdStrike describes is exactly the window Kirin closes for AI-assisted developer workflows.

Credentials at the endpoint. Kirin redacts and guards sensitive data flowing through the assistant, so even if a second-stage payload triggers, the cloud credentials, password-manager vaults, and SSH keys that GlasswormRAT is built to harvest are not readable in usable form. The infostealer-plus-credential-harvester pattern at the core of this campaign relies on the credentials being there to grab. Kirin removes that assumption.

Kirin is not a takedown. It is the defense that does not depend on one.

 

What CISOs should do this week

The Glassworm takedown gives every organization a free, time-bounded gift: a window where existing infections cannot receive new payloads. Use it.

  • Hunt for the CrowdStrike beacon. All Glassworm-infected machines now connect to 164.92.88[.]210. Review network logs and endpoint telemetry for that address. Any match is a confirmed infection that needs immediate remediation. CrowdStrike has also published YARA rules for the RAT and the downloader stage.
  • Inventory your developer agent surface. Which VS Code and Cursor extensions are installed across engineering laptops? Which MCP servers? Which AI agent skills? In most organizations, this list does not exist.
  • Plan and execute a defense. Deploy protection that blocks malicious extensions and packages at the moment of execution inside the IDE, not after the worm has touched the cloud or after the next takedown clears the air.

Kirin is free for up to 5 licenses. It installs into Claude Code, Claude Cowork, Cursor, VS Code in minutes. If your engineering team uses any of those today, you can have Glassworm-class protection running this week, without waiting for the next takedown.

 

Acknowledgments

CrowdStrike's Counter Adversary Operations team did the hard work here, alongside Google and the Shadowserver Foundation. Threat investigations like this matter because they buy defenders time. The job for the rest of us is to use that time to layer protection where the attacks land.

 

💡 Kirin runs in the developer's IDE and blocks malicious extensions and packages before they execute. Try it free for up to 5 licenses.

 

 

Source:

 
Data Leakage Detection and Response for Enterprise AI Search

Learn how to assess and remediate LLM data exposure via Copilot, Glean and other AI Chatbots with Knostic.

Get Access

Mask group-Oct-30-2025-05-23-49-8537-PM
The Data Governance Gap in Enterprise AI

See why traditional controls fall short for LLMs, and learn how to build policies that keep AI compliant and secure.

Download the Whitepaper

data-governance
Rethinking Cyber Defense for the Age of AI

Learn how Sounil Yu’s Cyber Defense Matrix helps teams map new AI risks, controls, and readiness strategies for modern enterprises.

Get the Book

Cyber Defence Matrix - cover
Extend Microsoft Purview for AI Readiness

See how Knostic strengthens Purview by detecting overshared data, enforcing need-to-know access, and locking down AI-driven exposure.

Download the Brief

copilot-img
Build Trust and Security into Enterprise AI

Explore how Knostic aligns with Gartner’s AI TRiSM framework to manage trust, risk, and security across AI deployments.

Read the Brief

miniature-4-min
Real Prompts. Real Risks. Real Lessons.

A creative look at real-world prompt interactions that reveal how sensitive data can slip through AI conversations.

Get the Novella

novella-book-icon
Stop AI Data Leaks Before They Spread

Learn how Knostic detects and remediates oversharing across copilots and search tools, protecting sensitive data in real time.

Download the Brief

LLM-Data-min
Accelerate Copilot Rollouts with Confidence

Equip your clients to adopt Copilot faster with Knostic's AI security layer, boosting trust, compliance, and ROI.

Get the One-Pager

cover 1
Reveal Oversharing Before It Becomes a Breach

See how Knostic detects sensitive data exposure across copilots and search, before compliance and privacy risks emerge.

View the One-Pager

cover 1
Unlock AI Productivity Without Losing Control

Learn how Knostic helps teams harness AI assistants while keeping sensitive and regulated data protected.

Download the Brief

safely-unlock-book-img
Balancing Innovation and Risk in AI Adoption

A research-driven overview of LLM use cases and the security, privacy, and governance gaps enterprises must address.

Read the Study

mockup
Secure Your AI Coding Environment

Discover how Kirin prevents unsafe extensions, misconfigured IDE servers, and risky agent behavior from disrupting your business.

Get the One-Pager

cover 1

Tags:

bg-shape-download

See How to Secure and Enable AI in Your Enterprise

Knostic provides AI-native security and governance across copilots, agents, and enterprise data. Discover risks, enforce guardrails, and enable innovation without compromise.

Request a Demo
195 1-min

Related Articles

background for career

Schedule a demo to see what Knostic can do for you

Let’s talk arrow icon
protect icon

Knostic leads the unbiased need-to-know based access controls space, enabling enterprises to safely adopt AI.

knostic logo white

United States
205 Van Buren St

Suite 120

Herndon, VA 20170

Become Our Partner
Log in arrow icon Apply now
Free Tools
Industry Solutions
Policies and Legal
Resources
Departments
Roles
Schedule a demo arrow icon
Schedule a demo arrow icon

EXPLORE KNOSTIC

Free Tools
Solutions by Department
Solutions by Role
Solutions by Industry

Resources

COMPANY

Become Our Partner
Log in arrow icon Apply now
Copyright © 2025. All rights reserved