{"id":565,"date":"2026-04-10T15:02:31","date_gmt":"2026-04-10T15:02:31","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=565"},"modified":"2026-04-10T15:02:31","modified_gmt":"2026-04-10T15:02:31","slug":"glassworm-campaign-uses-zig-dropper-to-infect-multiple-developer-ides","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=565","title":{"rendered":"GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 10, 2026<\/span><\/span>Malware \/ Blockchain<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have flagged yet another evolution of the\u00a0ongoing GlassWorm<\/strong> campaign, which employs a new Zig dropper that’s designed to stealthily infect all integrated development environments (IDEs) on a developer’s\u00a0machine.<\/p>\n

The technique has been discovered in an Open VSX extension named\u00a0\u00abspecstudio.code-wakatime-activity-tracker<\/a>,\u00bb which masquerades as WakaTime, a popular tool that measures the time programmers spend inside their IDE. The\u00a0extension is no longer available for\u00a0download.<\/p>\n

\u00abThe extension […] ships a Zig-compiled native binary alongside its JavaScript code,\u00bb Aikido Security researcher Ilyas\u00a0Makari said<\/a> in an analysis published this\u00a0week.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThis is not the first\u00a0time GlassWorm has resorted to\u00a0using native compiled\u00a0code<\/a> in extensions. However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your\u00a0system.\u00bb<\/p>\n

The newly identified Microsoft Visual Studio Code (VS Code) extension is a near replica of WakaTime, save for a change introduced in a function named \u00abactivate().\u00bb The extension installs a binary named \u00abwin.node\u00bb on Windows systems and \u00abmac.node,\u00bb a universal Mach-O binary if the system is running Apple\u00a0macOS.<\/p>\n

These Node.js\u00a0native addons are compiled shared libraries that are written in Zig and load directly into Node’s runtime and execute outside the JavaScript sandbox with full operating system-level\u00a0access.<\/p>\n

\"\"<\/a><\/div>\n

Once loaded, the primary goal of the binary is to find every IDE on the system that supports VS Code extensions. This\u00a0includes Microsoft VS Code and VS Code Insiders, as well as forks like VSCodium, Positron,\u00a0and a number\u00a0of artificial intelligence (AI)-powered coding tools like Cursor and\u00a0Windsurf.<\/p>\n

The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub\u00a0account<\/a>. The\u00a0extension \u2013 called \u00abfloktokbok.autoimport\u00bb \u2013 impersonates\u00a0\u00absteoates.autoimport<\/a>,\u00bb a legitimate extension with more than 5 million installs on the official Visual Studio Marketplace.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

In the final step,\u00a0the downloaded\u00a0.VSIX file is written to a temporary path and silently installed into every IDE using each editor’s CLI installer. The\u00a0second-stage VS Code\u00a0extension acts as a\u00a0dropper that avoids execution on Russian systems, talks to the Solana blockchain to fetch the command-and-control (C2) server, exfiltrates sensitive data, and installs a remote access trojan (RAT), which ultimately deploys an information-stealing Google Chrome extension.<\/p>\n

Users who have installed \u00abspecstudio.code-wakatime-activity-tracker\u00bb or \u00abfloktokbok.autoimport\u00bb are advised to assume compromise and rotate all\u00a0secrets.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 10, 2026Malware \/ Blockchain Cybersecurity researchers have flagged yet another evolution of the\u00a0ongoing GlassWorm campaign, which employs a new Zig dropper that’s designed to stealthily infect all integrated…<\/p>\n","protected":false},"author":1,"featured_media":566,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,223,1168,680,1171,1169,1170,1167],"class_list":["post-565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-campaign","tag-developer","tag-dropper","tag-glassworm","tag-ides","tag-infect","tag-multiple","tag-zig"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=565"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/565\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/566"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}