CrowdStrike and Google dismantle botnet targeting developers

CrowdStrike, in collaboration with Google and the non-profit organization Shadowserver, has dismantled a major botnet used by cybercriminals to steal passwords and distribute malware among open-source software developers. This botnet, dubbed Glassworm, has been engaged in supply chain attacks for the past two years, reports Techcrunch.com. reports .

Cyberattackers exploited trust in code hosted on platforms like GitHub to cause damage to companies and organizations. According to a CrowdStrike report, compromising a single developer's workstation can trigger a chain reaction affecting thousands of downstream organizations and users.

Glassworm hackers used several strategies to achieve their goals. These include publishing malicious extensions on developer marketplaces, deceiving users through malvertising in search engines, and hijacking developer accounts using previously stolen credentials. As a result, malicious code was injected into over 300 GitHub repositories.

During the operation, four command-and-control (C2) channels used by Glassworm hackers were taken down. These servers operated via the Solana blockchain, the BitTorrent network, Google Calendar, and virtual private servers (VPS). Shutting down these channels cut off the hackers' access to infected computers and prevented the spread of new malware.

Supply chain attacks have been increasing recently. For example, last week, an OpenAI developer's account was compromised as part of the “Mini Shai-Hulud” campaign. In March, the widely used Axios tool was targeted by hackers. This joint operation by CrowdStrike and Google is considered a significant victory in cybersecurity.