CrowdStrike, Google, and Shadowserver disrupted GlassWorm command-and-control on 2026-05-26 after the campaign used Open VSX extensions, npm and Python packages, and poisoned GitHub repositories to maintain access to developer systems.