Cybersecurity researchers have uncovered a sophisticated GlassWorm campaign that employs a Zig-compiled dropper to silently infect all IDEs on a developer's machine through malicious VS Code extensions.
Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a popular tool that measures the time programmers spend inside their IDE. The extension is no longer available for download.
"The extension [...] ships a Zig-compiled native binary alongside its JavaScript code," Aikido Security researcher Ilyas Makari said in an analysis published this week. "This is not the first time GlassWorm has resorted to using native compiled code in extensions. However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your system."
The newly identified Microsoft Visual Studio Code (VS Code) extension is a near replica of WakaTime, save for a change introduced in a function named "activate()." The extension installs a binary named "win.node" on Windows systems and "mac.node," a universal Mach-O binary if the system is running Apple macOS. These Node.js native addons are compiled shared libraries that are written in Zig and load directly into Node's runtime and execute outside the JavaScript sandbox with full operating system-level access.
Once loaded, the primary goal of the binary is to find every IDE on the system that supports VS Code extensions. This includes Microsoft VS Code and VS Code Insiders, as well as forks like VSCodium, Positron, and a number of artificial intelligence (AI)-powered coding tools like Cursor and Windsurf. The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub account. The extension – called "floktokbok.autoimport" – impersonates "steoates.autoimport," a legitimate extension with more than 5 million installs on the official Visual Studio Marketplace.
In the final step, the downloaded .VSIX file is written to a temporary path and silently installed into every IDE using each editor's CLI installer. The second-stage VS Code extension acts as a dropper that avoids execution on Russian systems, talks to the Solana blockchain to fetch the command-and-control (C2) server, exfiltrates sensitive data, and installs a remote access trojan (RAT), which ultimately deploys an information-stealing Google Chrome extension.
Users who have installed "specstudio.code-wakatime-activity-tracker" or "floktokbok.autoimport" are advised to assume compromise and rotate all secrets.
Technical Analysis
The use of Zig as the compilation target represents a significant evolution in malware delivery techniques. Zig's modern memory management and cross-platform capabilities make it an attractive choice for attackers seeking to create sophisticated, stealthy payloads that can operate across different operating systems.
By embedding the Zig-compiled binary directly within the VS Code extension package, attackers can bypass many traditional security controls that might flag external downloads. The binary executes with full system privileges, allowing it to scan for and infect multiple IDEs beyond just the initial target.
Attack Chain Breakdown
- Initial Compromise: Developer installs malicious "specstudio.code-wakatime-activity-tracker" extension from Open VSX
- Binary Deployment: Extension installs platform-specific Zig-compiled native addon (win.node or mac.node)
- IDE Discovery: Binary scans system for all VS Code-compatible IDEs
- Payload Download: Malicious "floktokbok.autoimport" VSIX file downloaded from GitHub
- Silent Installation: Extension installed across all discovered IDEs
- Second-stage Execution: Extension fetches C2 from Solana blockchain, deploys RAT and Chrome stealer
The campaign's use of blockchain for C2 infrastructure adds another layer of complexity, making it harder to block or sinkhole the command infrastructure through traditional means.
Impact and Mitigation
This attack vector is particularly dangerous because it targets the software supply chain of developers themselves. By compromising the tools developers use daily, attackers can potentially access source code, credentials, API keys, and other sensitive development artifacts.
Recommended Actions:
- Immediately audit VS Code extensions and remove any suspicious installations
- Review and rotate all credentials, API keys, and secrets
- Enable extension verification and only install from official marketplaces
- Implement network monitoring for unusual blockchain traffic patterns
- Consider using extension whitelisting in enterprise environments
Industry Response
The discovery highlights the growing sophistication of software supply chain attacks and the need for enhanced security measures in development tool ecosystems. The use of legitimate-looking extensions that mimic popular tools demonstrates how attackers are increasingly focusing on social engineering and trust exploitation.
Open VSX and other alternative extension marketplaces may need to implement more stringent verification processes to prevent similar attacks in the future. Meanwhile, developers should exercise extreme caution when installing extensions, particularly those that request unusual permissions or come from unverified sources.
This campaign serves as a stark reminder that the security of development environments requires constant vigilance, as attackers continue to evolve their techniques to target the software supply chain at its most vulnerable points.
Comments
Please log in or register to join the discussion