Supply chain battles intensify as takedowns meet AI-driven noise

Taking down a sprawling malware operation once signaled progress in securing the open-source ecosystem. Now, it barely registers. The GlassWorm campaign disruption comes at a moment when attackers can quickly reconstitute, and defenders are increasingly grappling with a new challenge: distinguishing real threats from automated noise.

“I think coordinated actions, like GlassWorm, can sever control, significantly increase attacker costs, buy time for remediation, and signal the possibility of a fightback,” said Agnidipta Sarkar, chief evangelist at ColorTokens. “But most takedowns are temporary actions in a long fight.”

The CrowdStrike-led takedown, conducted alongside Google and the Shadowserver Foundation, disrupted infrastructure linked to the campaign that had poisoned hundreds of repositories with malicious packages targeting developers.

A day after the takedown, in an independent development, the OSV database withdrew 157 malware reports after maintainers determined the submissions were likely automated false positives.

Takedowns help, but analysts question long-term impact

The takedown happened on May 26, at 14:00 UTC, with CrowdStrike confirming the operation to have struck down “all four of GlassWorm’s command-and-control (C2) channels simultaneously”. This reportedly helped sever the botnet operators from their infected machines, blocking them from pushing out new malware.

CrowdStrike described the GlassWorm operation as targeting infrastructure used to distribute malware through developer-focused repositories, an increasingly popular attack vector as adversaries chase CI/CD access, developer credentials, and downstream enterprise environments.

GlassWorm was a cross-platform operation affecting Windows, macOS, and Linux systems, with trojanized VSCode extensions and compromised npm and Python packages for information and credential harvesting.

“As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” said Google Threat Intelligence Group’s (GTIG) chief analyst, John Hultquist, in an X post.

Still, the broader economics of repository abuse remain unchanged. Open-source ecosystems continue to offer attackers low-cost distribution, massive reach, and relatively weak identity verification compared to traditional software distribution channels. That means operators behind campaigns like GlassWorm can often reappear quickly under new accounts, domains, or package names.

“It is disruption, not eradication,” Sarkar warned. “To build resilience after a takedown, defenders should prioritize rapid post-takedown scanning to detect the reemergence of malicious artifacts across related repositories and distribution platforms.”

They should then establish granular micro-perimeters, build capabilities to contain propagation across workloads, endpoints, IT/OT/IoT/cloud assets, and limit the blast radius of supply-chain compromises (e.g., a poisoned npm package or a GitHub workflow stealing creds can’t easily pivot).

Sarkar advised developers and organizations to establish “granular micro-perimeters,” build capabilities to contain propagation across workloads, and limit the blast radius of supply-chain compromises.

AI False positives are becoming part of the supply chain problem

If GlassWorm highlights the persistence of real malware campaigns, the OSV withdrawal incident exposed a parallel issue affecting the open-source software (OSS) supply chain. It is the growing reliability surrounding automated security reporting.

The withdrawal of 157 malware reports believed to be AI-generated false positives matters, especially when it includes packages like FastAPI v0.136.3. FastAPI is a heavily adopted Python framework powering production APIs, AI services, and cloud-native applications across industries. Even a few days of false flagging can trigger costly deployment delays, CI/CD disruptions, and hours of development time in isolating legitimate software.

“I would recommend that enterprises be concerned enough about signal-to-noise problems to consider remedial measures, as automation erodes trust in defensive tools,” Sarkar said. “Unless you have a highly microsegmented enterprise, noise wastes analyst time, slows velocity, and risks missing sophisticated attacks amid fatigue.”

In 2026, with AI-assisted malware and reporting both accelerating and rising false positives in SAST/SCA tools, defensive automation is getting asymmetrically compounded by supply-chain volume, he noted.

In a blog post, Socket called bad OSV records particularly dangerous as the popular database gets rapidly carried through dependency scanners, CI checks, registry controls, SBOM tools, dashboards, and internal policy systems.

All hope is not lost, though, as newer tools promise lower reliance on AI for hunting dependency vulnerabilities. CVE Lite CLI, a light-weight, JavaScript and TypeScript dependency vulnerability scanner, is offering developers a way to know dependency risks while they are still writing code, much earlier than failing automated scanners in CI pipelines.

The article originally appeared on CSO.