GlassWorm — developer-targeting botnet takedown (CrowdStrike, Google)
AI relevance: GlassWorm poisoned VS Code extensions and npm/Python packages that are core dependencies for AI coding agents (Cursor, Windsurf), converting infected developer machines into covert proxy infrastructure — a direct precursor to AI-agent supply-chain attacks.
What happened
CrowdStrike, Google, and the Shadowserver Foundation announced a coordinated takedown of the GlassWorm malware campaign's four command-and-control channels. The operation has targeted developers since at least early 2025, with over 300 GitHub repositories compromised using stolen credentials.
- GlassWorm distributed trojanized VS Code extensions via both the official Microsoft Marketplace and Open VSX, targeting VS Code forks including Cursor, Positron, Windsurf, and VSCodium.
- Malicious code was also injected through compromised npm and Python packages.
- The payload is a data-theft framework with credential harvesting, crypto wallet exfiltration, and system profiling.
- Later iterations deployed a WebSocket-based JavaScript RAT (GlassWormRAT) to steal browser data and install a Chrome extension that captures screenshots, keystrokes, and clipboard content.
- Infected hosts become covert infrastructure: SOCKS proxies, hidden VNC servers, and remote execution nodes via WebRTC or Node.js processes.
- Four distinct C2 channels provided resilience: Solana blockchain dead-drop resolver, BitTorrent DHT queries, Google Calendar event titles, and direct VPS connections — all neutralized simultaneously.
- Attribution points to likely Russia-based cybercriminals.
Why it matters
Developers are high-value targets for supply-chain attacks because a single compromised workstation can impact thousands of downstream users. GlassWorm's use of AI-coding-tool distribution channels (VS Code forks, npm packages) means any developer using Cursor, Windsurf, or similar tools was at risk. The covert infrastructure built from infected machines — SOCKS proxies, remote execution nodes — is exactly the kind of anonymized network infrastructure that could be used to launch follow-on AI agent attacks at scale.
What to do
- Revoke and rotate all developer credentials (GitHub, npm, OpenVSX, crypto wallets) if you used trojanized extensions during the active period.
- Audit VS Code extensions and IDE tooling for unknown or unexpected installations.
- Scan for GlassWormRAT indicators: unexpected Chrome extensions, Node.js processes spawning WebRTC connections, or VNC servers on non-standard ports.
- Use extension allowlists in organizational VS Code deployments.