top of page
Search

GlassWorm Campaign: Zig Dropper Targeting Developer IDEs

  • 6 days ago
  • 2 min read

Key Findings


  • GlassWorm campaign discovered using Zig-compiled dropper to infect multiple IDEs on developer machines

  • Malicious VS Code extension "specstudio.code-wakatime-activity-tracker" masquerades as legitimate WakaTime tool

  • Native binary executes outside JavaScript sandbox with full OS-level access to find and compromise all IDE installations

  • Second-stage extension deploys information-stealing malware, avoids execution on Russian systems, and uses Solana blockchain for C2 communication

  • Users of compromised extensions should assume full compromise and rotate all secrets immediately


Background


The GlassWorm campaign continues to evolve with increasingly sophisticated attack chains targeting developer environments. This latest variant represents a significant escalation in capability, combining multiple evasion techniques and cross-IDE infection vectors. Researchers at Aikido Security identified the attack chain through analysis of a malicious Open VSX extension that's now been removed from distribution.


Initial Infection Vector


  • Attack begins with fake WakaTime extension on Open VSX registry named "specstudio.code-wakatime-activity-tracker"

  • Extension appears virtually identical to legitimate WakaTime tool used by millions of developers to track IDE activity

  • Ships Zig-compiled native binary alongside standard JavaScript code

  • This marks repeated use of native compiled code by GlassWorm, but with a new twist in implementation


Dropper Mechanism


  • Binary named "win.node" on Windows systems and "mac.node" on macOS machines

  • These are Node.js native addons written in Zig that load directly into Node runtime

  • Execute with full operating system-level access outside JavaScript sandbox restrictions

  • Primary function is reconnaissance across the target system


Cross-IDE Infection


  • Binary scans for every IDE capable of running VS Code extensions

  • Targets include VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf

  • Downloads malicious extension from attacker-controlled GitHub account

  • Extension named "floktokbok.autoimport" impersonates legitimate extension "steoates.autoimport" which has over 5 million official installs


Installation and Payload Delivery


  • Downloaded VSIX file written to temporary path and silently installed using each IDE's CLI installer

  • Second-stage extension acts as sophisticated dropper

  • Includes geofencing to avoid execution on Russian systems

  • Communicates with Solana blockchain to retrieve command-and-control server addresses

  • Exfiltrates sensitive developer data

  • Deploys remote access trojan for persistent system access

  • RAT installs information-stealing Google Chrome extension as final payload


Immediate Actions Required


  • Users who installed "specstudio.code-wakatime-activity-tracker" must assume compromise

  • Users who installed "floktokbok.autoimport" must assume compromise

  • Rotate all secrets, API keys, and credentials

  • Review IDE activity logs for suspicious extensions or installations

  • Check all connected systems for secondary compromises


Sources


  • https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html

  • https://www.cypro.se/2026/04/10/glassworm-campaign-uses-zig-dropper-to-infect-multiple-developer-ides/

  • https://x.com/Dinosn/status/2042607080020820037

  • https://www.threads.com/@harboot/post/DW9ye0xlBrP/the-glass-worm-campaign-uses-a-zig-compiled-dropper-in-a-fake-waka-time-open

  • https://www.linkedin.com/posts/garettm_glassworm-campaign-uses-zig-dropper-to-infect-activity-7448363034000953344-F6h6

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page