ALL POSTS

Key Findings GlassWorm campaign discovered using Zig-compiled dropper to infect multiple IDEs on developer machines Malicious VS Code extension "specstudio.code-wakatime-activity-tracker" masquerades as legitimate WakaTime tool Native binary executes outside JavaScript sandbox with full OS-level access to find and compromise all IDE installations Second-stage extension deploys information-stealing malware, avoids execution on Russian systems, and uses Solana blockchain for C2

Key Findings GlassWorm campaign evolved to deliver multi-stage malware framework with data theft and remote access capabilities Operators use Solana blockchain transactions as dead drop resolvers to hide command-and-control infrastructure Malware includes hardware wallet phishing targeting Ledger and Trezor devices with fake recovery phrase prompts Chrome extension masquerading as "Google Docs Offline" steals browser data, cookies, and monitors cryptocurrency exchange session

Key Findings * GlassWorm campaign identified targeting developers through 72 malicious Open VSX extensions * Uses sophisticated supply-chain attack technique exploiting extension dependencies * Targets development environments to steal secrets and compromise systems * Employs advanced obfuscation and evasion techniques * Spans multiple platforms including Open VSX, GitHub, and npm registries Background The GlassWorm campaign represents an evolving threat in software supply ch