Key Findings GlassWorm campaign discovered using Zig-compiled dropper to infect multiple IDEs on developer machines Malicious VS Code extension "specstudio.code-wakatime-activity-tracker" masquerades as legitimate WakaTime tool Native binary executes outside JavaScript sandbox with full OS-level access to find and compromise all IDE installations Second-stage extension deploys information-stealing malware, avoids execution on Russian systems, and uses Solana blockchain for C2
