GlassWorm Campaign Evolves with Stealthy Zig Dropper Targeting All IDEs on Developer Machines

Cybersecurity researchers have sounded the alarm over a significant escalation in the ongoing GlassWorm campaign, which now deploys a sophisticated new Zig dropper designed to surreptitiously infect virtually all integrated development environments (IDEs) present on a compromised developer’s machine. This advanced technique represents a deepening threat to the software supply chain, leveraging trusted platforms and tools to gain pervasive access within critical development environments. The discovery, detailed by Aikido Security, highlights a troubling trend where attackers exploit the inherent trust in developer tools and open-source ecosystems to propagate highly stealthy and persistent malware.

The latest iteration of this insidious campaign was unearthed within an Open VSX extension deceptively named "specstudio.code-wakatime-activity-tracker." This malicious extension masqueraded as WakaTime, a widely recognized and legitimate tool cherished by programmers for its ability to track and analyze time spent within their IDEs, thereby providing valuable productivity insights. The use of such a familiar and utility-focused disguise underscores the attackers’ meticulous planning and understanding of developer habits and trust networks. Following its identification, the malicious extension has since been removed and is no longer available for download, a swift action that underscores the collaborative efforts within the cybersecurity community to mitigate emerging threats.

Ilyas Makari, a researcher at Aikido Security, published a comprehensive analysis earlier this week, shedding light on the intricate workings of this new threat. "The extension […] ships a Zig-compiled native binary alongside its JavaScript code," Makari stated, emphasizing the novel use of the Zig programming language. This isn’t the first instance of the GlassWorm campaign incorporating native compiled code within extensions; previous iterations have also utilized such methods to enhance stealth and persistence. However, the current evolution marks a critical shift: instead of directly using the native binary as the ultimate payload, it now serves as a highly effective and stealthy ‘indirection’ mechanism. This indirection facilitates the deployment of the known GlassWorm dropper, which has been upgraded to secretly infect every compatible IDE it can locate on the target system, dramatically broadening its potential impact.

A History of Deception: The Evolving GlassWorm Threat

The GlassWorm campaign is not a new entrant to the threat landscape but rather a persistent and evolving adversary that has been meticulously tracked by cybersecurity experts for months, if not longer. Its initial sightings hinted at a sophisticated operation, but the campaign has steadily refined its tactics, moving from simpler malicious extensions to highly complex, multi-stage attacks. Prior to this latest discovery, GlassWorm had already gained notoriety for leveraging native compiled code in extensions, a technique that significantly complicates detection by allowing malicious logic to execute outside the traditional JavaScript sandbox, thereby enjoying greater privileges and system access.

For instance, reports from December 2025 and March 2026 detailed previous GlassWorm operations, which already indicated a trend towards hardening delivery mechanisms and employing diverse infection vectors. The campaign’s consistent use of supply chain attacks—targeting the software development lifecycle through compromised tools and libraries—demonstrates a strategic focus on developers, who represent a high-value target. By compromising developers, attackers can potentially gain access to sensitive source code, intellectual property, internal networks, and even inject further malicious code into legitimate applications, creating a cascading effect of compromise throughout the software supply chain. The sheer persistence and adaptability of GlassWorm suggest a well-resourced and sophisticated threat actor group behind these operations, continuously refining their tools and methods to bypass existing security measures.

Technical Deep Dive: The Zig Dropper and Node.js Native Addons

The technical sophistication of this new GlassWorm variant lies in its use of Zig and Node.js native addons. The identified Microsoft Visual Studio Code (VS Code) extension was engineered to be a near-perfect mimicry of the legitimate WakaTime tool. The only discernible modification lay within a specific function, "activate()." This seemingly minor alteration was, in fact, the critical entry point for the malicious payload.

Upon activation, the extension would install a binary specific to the operating system: "win.node" for Windows systems and "mac.node" for Apple macOS. The "mac.node" binary was further noted as a universal Mach-O binary, indicating compatibility across different Apple architectures, including both Intel and Apple Silicon. These "node.js native addons" are not typical JavaScript code but are, in essence, compiled shared libraries written in Zig. Their significance stems from their ability to load directly into Node.js’s runtime environment. Crucially, once loaded, they execute outside the confines of the JavaScript sandbox, granting them full operating system-level access. This level of access allows the malware to perform actions that would typically be restricted to a JavaScript environment, such as directly interacting with the file system, network interfaces, and other system resources without user prompts or standard security checks.

The choice of Zig for compiling these native addons is particularly noteworthy. Zig is a relatively new, low-level programming language that offers fine-grained control over memory and system resources, similar to C or Rust, but with a focus on simplicity and correctness. Its less widespread adoption compared to C++ or Rust might also mean that security scanning tools and antivirus software are less optimized for detecting Zig-compiled binaries, providing an additional layer of stealth for the attackers. This choice underscores the attackers’ ongoing efforts to leverage obscure or less commonly scrutinized technologies to evade detection.

The Multi-Stage Infection Chain: From Impersonation to Full Compromise

The attack chain meticulously unfolds in several stages, each designed to ensure maximum stealth and persistence:

1. Initial Compromise (WakaTime Impersonation): The attack begins when a developer downloads and installs "specstudio.code-wakatime-activity-tracker" from Open VSX, believing it to be the legitimate WakaTime extension. The trust placed in familiar tool names and the Open VSX platform is exploited.
2. Native Binary Deployment: Upon activation of the malicious extension, the Zig-compiled native addon (either win.node or mac.node) is dropped onto the system.
3. IDE Discovery and Enumeration: Once loaded, the primary objective of this native binary is to meticulously scan the system to identify every IDE that supports VS Code extensions. This includes not only official Microsoft VS Code and VS Code Insiders but also popular forks and derivatives like VSCodium, Positron, and a growing number of artificial intelligence (AI)-powered coding tools such as Cursor and Windsurf. The extensive targeting ensures that even developers using alternative or cutting-edge environments are not safe.
4. Second-Stage Payload Download: After enumerating all available IDEs, the Zig dropper connects to an attacker-controlled GitHub account (e.g., github.com/ColossusQuailPray) to download a second malicious VS Code extension package (.VSIX file). This second-stage extension is named "floktokbok.autoimport."
5. Further Impersonation: "floktokbok.autoimport" is itself an impersonation, mimicking the legitimate "steoates.autoimport" extension, which boasts over 5 million installs on the official Visual Studio Marketplace. This widespread legitimacy makes its malicious counterpart harder to distinguish without careful scrutiny.
6. Silent Installation Across All IDEs: In the final critical step, the downloaded .VSIX file is written to a temporary path. The Zig dropper then leverages each identified editor’s command-line interface (CLI) installer to silently install "floktokbok.autoimport" into every IDE it found. This silent, pervasive installation across multiple development environments ensures the malware’s deep entrenchment and broad reach within the developer’s ecosystem.
7. Final Payload Execution: The "floktokbok.autoimport" extension acts as the ultimate dropper, deploying the GlassWorm malware. This final stage includes several malicious functionalities:
   • Geographic Evasion: It contains logic to avoid execution on Russian systems, a common tactic seen in various malware campaigns, often attributed to specific geopolitical affiliations or operational security measures.
   • Decentralized Command-and-Control (C2): The malware communicates with the Solana blockchain to fetch the command-and-control (C2) server address. Utilizing a blockchain for C2 infrastructure offers significant advantages to attackers, including increased resilience against takedowns, decentralization, and enhanced anonymity, making it much harder for authorities to disrupt.
   • Data Exfiltration: It is designed to exfiltrate sensitive data from the compromised system. This could include source code, API keys, credentials, intellectual property, personal identifiable information, and other proprietary data that developers routinely handle.
   • Remote Access Trojan (RAT) Deployment: A Remote Access Trojan is installed, granting the attackers persistent, unfettered access to the compromised machine. This allows for long-term surveillance, data theft, and further malicious activities.
   • Information-Stealing Chrome Extension: The ultimate payload is an information-stealing Google Chrome extension. Such extensions are commonly used to capture browsing history, cookies, autofill data, and more critically, login credentials, cryptocurrency wallet keys, and other sensitive information entered into web forms.

Broader Implications for the Software Supply Chain and Developer Trust

This latest GlassWorm evolution carries profound implications for the software supply chain and the inherent trust developers place in their tools and ecosystems. The attack vector directly targets the heart of software creation—the IDEs. By compromising these environments, attackers gain a vantage point that can lead to:

• Compromise of Source Code: Access to proprietary and sensitive source code, potentially leading to intellectual property theft or the injection of backdoors into legitimate software.
• Credential Theft: Developers often have elevated privileges and access to numerous internal systems, cloud environments, and code repositories. Stolen credentials can facilitate widespread lateral movement within an organization.
• Supply Chain Contamination: If a compromised developer inadvertently commits malicious code or dependencies, it can propagate through the software build process, affecting downstream users and customers. This is the essence of a supply chain attack.
• Erosion of Trust: Such incidents erode trust in open-source platforms like Open VSX and the wider ecosystem of extensions, making developers more hesitant to adopt new tools, potentially hindering innovation and productivity.
• Security for AI-Powered Coding Tools: The explicit targeting of AI-powered coding tools like Cursor and Windsurf also highlights a new frontier for attacks. As these tools become more integrated into development workflows, they present attractive targets due to their deep access to code and context, potentially allowing attackers to influence or exfiltrate data from AI-assisted development processes.

The increasing sophistication of these attacks underscores a critical vulnerability in modern software development: the reliance on a vast, interconnected ecosystem of third-party tools, libraries, and extensions. While this ecosystem fosters innovation, it also presents an expansive attack surface that threat actors are increasingly exploiting.

Official Responses and Mitigation Strategies

Following the discovery, swift action was taken:

• The malicious extension "specstudio.code-wakatime-activity-tracker" was promptly removed from the Open VSX registry. This immediate delisting is a crucial step in preventing further infections.
• The attacker-controlled GitHub account (github.com/ColossusQuailPray) was likely suspended or had its malicious repositories removed, disrupting the second stage of the attack chain. While not explicitly stated, such actions are standard procedure for platform providers like GitHub when notified of abuse.

For developers and organizations, the immediate advice is clear and urgent:

• Assume Compromise: Users who have installed either "specstudio.code-wakatime-activity-tracker" or "floktokbok.autoimport" are strongly advised to assume their systems are compromised.
• Rotate All Secrets: This includes passwords, API keys, SSH keys, cloud credentials, and any other sensitive access tokens. This should be done from a clean, uncompromised machine, if possible.
• Full System Scan and Reinstallation: A thorough security scan using reputable antivirus and anti-malware tools is recommended. For critical development machines, a complete reinstallation of the operating system and all development tools might be the safest course of action to ensure all traces of the malware are eradicated.

Beyond immediate response, proactive measures are essential:

• Vigilant Extension Management: Developers should exercise extreme caution when installing IDE extensions, even from seemingly legitimate marketplaces. Always verify the publisher, check reviews, and scrutinize permissions requested by extensions.
• Supply Chain Security Tools: Organizations should implement supply chain security tools that scan for malicious code in dependencies, containers, and development tools.
• Endpoint Detection and Response (EDR): Advanced EDR solutions can help detect unusual process behavior, network connections (especially to blockchain C2s), and file modifications indicative of malware.
• Network Segmentation: Isolate development environments from production networks and other sensitive systems to limit lateral movement in case of a compromise.
• Principle of Least Privilege: Ensure developers and their tools operate with the minimum necessary privileges to perform their tasks.
• Regular Audits and Security Training: Conduct regular security audits of development environments and provide ongoing training to developers on identifying and mitigating supply chain risks.
• Hash Verification: Where possible, verify the cryptographic hashes of downloaded extensions against official sources to ensure their integrity.

This latest evolution of the GlassWorm campaign serves as a stark reminder of the sophisticated and persistent threats targeting the software development ecosystem. As attackers continue to innovate, leveraging new programming languages, decentralized infrastructure, and social engineering tactics, the collective vigilance of developers, security researchers, and platform providers remains paramount in safeguarding the integrity of the global software supply chain. The incident underscores the continuous arms race between cybercriminals and defenders, emphasizing the critical need for proactive, multi-layered security strategies in an increasingly interconnected and complex digital world.