惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
S
Schneier on Security
罗磊的独立博客
有赞技术团队
有赞技术团队
U
Unit 42
Stack Overflow Blog
Stack Overflow Blog
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
Engineering at Meta
Engineering at Meta
N
Netflix TechBlog - Medium
T
Tailwind CSS Blog
爱范儿
爱范儿
Y
Y Combinator Blog
aimingoo的专栏
aimingoo的专栏
B
Blog
量子位
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
W
WeLiveSecurity
Recent Announcements
Recent Announcements
G
GRAHAM CLULEY
大猫的无限游戏
大猫的无限游戏
F
Fortinet All Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
Spread Privacy
Spread Privacy
Cisco Talos Blog
Cisco Talos Blog
The Cloudflare Blog
D
Docker
Hugging Face - Blog
Hugging Face - Blog
I
InfoQ
Recorded Future
Recorded Future
H
Help Net Security
L
LINUX DO - 热门话题
The Hacker News
The Hacker News
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
T
The Exploit Database - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
MongoDB | Blog
MongoDB | Blog
Forbes - Security
Forbes - Security
Vercel News
Vercel News
G
Google Developers Blog
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cyberwarzone
Cyberwarzone
T
Tor Project blog
Microsoft Security Blog
Microsoft Security Blog
P
Proofpoint News Feed

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets macOS ClickFix attacks deliver AppleScript stealers Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea North Korea targets macOS users in latest heist McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Mercor says it was 'one of thousands' hit in LiteLLM attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds EU law advisor wants cybercrime protections fast-tracked Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
CrowdStrike, Google shatter Glassworm botnet
Jessica Lyons Jessica Lyons · 2026-05-28 · via The Register - Security: Cyber-crime

cyber-crime

Developer-targeted, supply-chain attacks all the rage these days

CrowdStrike, working with Google and the Shadowserver Foundation, said it has taken down the Glassworm botnet, a self-propagating, credential-stealing worm that has targeted developers and spread through poisoned software packages since early 2025.

The endpoint security giant’s Counter Adversary Operations team and partners hit all four Glassworm command-and-control channels simultaneously at 1400 UTC on Tuesday, “severing the operators from their infected machines and their ability to deliver new malicious payloads,” according to CrowdStrike’s blog.

Google Threat Intelligence Group chief analyst John Hultquist confirmed his company’s involvement in a social media post. “As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” Hultquist wrote

A spokesperson declined to provide additional details to The Register about Google’s role in the takedown.

The disruption comes as another self-replicating worm, Mini Shai-Hulud, rips through open source code and miscreants poison GitHub repositories and npm packages in similar supply-chain attacks also targeting developers’ environments.

“Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software,” CrowdStrike wrote. “Adversaries are no longer just targeting products, they're targeting the developers who build them.”

We are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users

First spotted by endpoint security shop Koi in October 2025, Glassworm used invisible Unicode-based code injection, blockchain-based C2 infrastructure, and Google Calendar as a backup command server to turn infected developers’ machines into criminal proxy nodes. This self-replicating worm initially targeted VS Code extensions on the OpenVSX marketplace before moving on to npm and Python packages, and later poisoned more than 300 GitHub repos using stolen credentials harvested in earlier Glassworm infections.

This worm appeared about a month after another self-propagating malware strain, Shai Hulud, first wormed through npm packages including those maintained by CrowdStrike. Glassworm infected all platforms - including Windows, macOS, and Linux systems - stealing credentials and other sensitive information, and also spawning its own Node.js remote access tool called GlasswormRAT.

C2 architecture designed to withstand takedowns

Glassworm’s C2 infrastructure used four distinct channels to complicate takedown efforts. These included the Solana blockchain, with C2 server addresses encoded in the memo fields of blockchain transactions, ensuring the C2 couldn’t be taken offline through conventional means. It also used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.

The GlasswormRAT used a decentralized BitTorrent Distributed Hash Table (DHT) for configuration data stored against hardcoded public keys.

And finally, Glassworm relied on traditional C2 servers, hosted on commercial VPS providers, as the final payload delivery mechanism.

Disrupting all four channels “required precision and timing,” according to CrowdStrike. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute.” 

All Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88[.]210. The security shop urges organizations to review network logs and endpoint telemetry for connections to this address, which indicate a Glassworm infection. ®