CrowdStrike and Google are taking down a botnet used by hackers to target software developers in supply chain attacks

CrowdStrike, in collaboration with Google and Shadowserver, a non-profit organization that scans and monitors the Internet for cyberattacks, has removed a botnet used by cybercriminals to push malware and steal passwords from open source software developers.

The takedown was intended to disrupt the activities of the cybercriminals behind the so-called Glassworm botnet, who had been targeting the broader open source software supply chain for two years, according to CrowdStrike.

In recent months, several hacking groups have targeted developers and open source projects to push malware to companies and organizations that in turn use this software. These attacks can be effective because they exploit the trust that companies place in code hosted on platforms like GitHub, and the workers behind that code.

“Adversaries are no longer targeting just products, but the developers who make them,” CrowdStrike wrote in its report on the takedown. “Developers represent uniquely high-value targets: the compromise of a single developer workstation can compromise a supply chain affecting thousands of organizations and end users.”

Glassworm hackers used several strategies to extract their malicious code. This included publishing malicious extensions into the marketplace used by developers; Via malicious advertising – where hackers pay for sponsored search results that trick victims into downloading malware; And the use of credentials stolen in previous hacks, which allowed developer accounts to be hijacked and malware implanted in their code.

Ultimately, the hackers were able to poison more than 300 GitHub code repositories, CrowdStrike said.

CrowdStrike said it was able to remove four command and control channels used by the Glassworm hackers, cutting off the hackers’ access to infected computers and preventing them from delivering more malware.

The command and control servers rely on the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers, according to CrowdStrike.

It is not clear what legal or technical authority CrowdStrike and others are operating under to remove the operation. A CrowdStrike spokesperson did not immediately comment.

Last week, hackers compromised several open source projects that pushed malicious updates in a different hacking campaign that was called “Mini Shai-Hulud.” One of the OpenAI developers was hacked by this group of hackers. In another supply chain attack in March, a suspected North Korean hacker hijacked the popular open source software development tool Axios, which is used by millions of developers.