{
  "title": "GlassWorm Developer Supply-Chain Botnet Takedown",
  "summary": "CrowdStrike, Google, and Shadowserver disrupted GlassWorm command-and-control on 2026-05-26 after the campaign used Open VSX extensions, npm and Python packages, and poisoned GitHub repositories to maintain access to developer systems.",
  "date": "2026-05-27",
  "severity": "critical",
  "tags": [
    "supply-chain",
    "vscode",
    "open-vsx",
    "npm",
    "pypi"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "glassworm-developer-supply-chain-botnet",
    "since": "2026-04-29T18:15:00Z",
    "until": "2026-05-27T23:59:59Z",
    "ecosystem": "",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [
      "www.crowdstrike.com"
    ],
    "urls": [
      "https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/",
      "https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm"
    ],
    "ips": [],
    "hashes": [
      "1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168",
      "4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd",
      "97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}