GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
الحملة ديال GlassWorm كطوّر: Zig Dropper جديد كيستهدف بزاف ديال لي IDE ديال المطورين
GlassWorm Campaign Evolves: New Zig Dropper Targets Multiple Developer IDEs
TL;DR
The persistent GlassWorm campaign has been updated with a new Zig-based dropper found in a fraudulent Open VSX extension. The malware masquerades as the popular "WakaTime" utility to infect not only VS Code but also multiple IDE forks and AI-powered coding tools, eventually deploying an information stealer via the Solana blockchain.
The Evolution of GlassWorm
Cybersecurity researchers have identified a significant evolution in the ongoing GlassWorm campaign. In this latest iteration, threat actors are leveraging the Zig programming language to create stealthy native binaries designed to compromise developer environments.
The primary delivery vehicle for this attack was a malicious extension titled specstudio.code-wakatime-activity-tracker, hosted on the Open VSX Registry. This extension was designed to impersonate WakaTime, a widely used tool for tracking programming productivity. While the extension has since been removed from the registry, its discovery highlights a sophisticated shift in how attackers are targeting the software supply chain.
Technical Analysis: The Zig Stealth Mechanism
According to analysis by Ilyas Makari of Aikido Security, the GlassWorm campaign has moved away from simple JavaScript-based payloads. Instead, the malicious extension ships with a Zig-compiled native binary alongside its standard JavaScript code.
Crossing the Sandbox
The extension installs a binary named win.node on Windows or a universal Mach-O binary named mac.node on macOS. These files are Node.js native addons—compiled shared libraries that load directly into the Node.js runtime.
By using native code, the attackers gain several advantages:
- Bypassing Sandboxing: The code executes with full operating system-level access, outside the typical JavaScript sandbox.
- Stealth: Native binaries are often more difficult for traditional security scanners to analyze than plain-text script files.
- Indirection: The Zig binary acts as a layer of indirection, stealthily fetching the actual GlassWorm dropper rather than acting as the final payload itself.
Targeting the Developer Ecosystem
Once the Zig binary is active, its primary objective is to seek out and infect every Integrated Development Environment (IDE) present on the victim's machine. The malware specifically targets editors that support VS Code extensions, including:
- Microsoft VS Code and VS Code Insiders
- VSCodium and Positron
- AI-Powered IDEs: Cursor and Windsurf
The binary downloads a second-stage malicious extension (.VSIX) from an attacker-controlled GitHub repository. This second extension, named floktokbok.autoimport, impersonates a legitimate utility (steoates.autoimport) that boasts over 5 million legitimate installs.
The malware then uses the command-line interface (CLI) of each detected editor to silently install the malicious auto-import extension across all environments simultaneously.
The Final Payload and C2 Strategy
The second-stage extension serves as the functional heart of the GlassWorm infection. Its behavior includes several sophisticated features:
- Geofencing: The dropper checks the system and avoids execution if it detects a Russian environment.
- Blockchain-Based C2: The malware communicates with the Solana blockchain to retrieve the addresses of its Command-and-Control (C2) servers, making the infrastructure harder to take down.
- Data Exfiltration: The extension is designed to steal sensitive data from the developer's machine.
- RAT & Chrome Extension: It installs a Remote Access Trojan (RAT), which eventually deploys a malicious Google Chrome extension specifically designed for information theft.
Conclusion and Mitigation
The GlassWorm campaign demonstrates the increasing risks associated with third-party extension marketplaces. By targeting developers—who often possess high-level access to sensitive corporate repositories and infrastructure—attackers can gain a powerful foothold in an organization.
Recommendations for Developers:
- If you have installed
specstudio.code-wakatime-activity-trackerorfloktokbok.autoimport, assume your system is compromised. - Immediately remove the extensions and perform a deep system scan.
- Rotate all secrets, including API keys, SSH keys, and cloud credentials stored on the affected machine.
- Verify the publisher of extensions even when using community registries like Open VSX.
Source: The Hacker News - GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
