CYBERSECURITY researchers have flagged the GlassWorm campaign’s latest evolution, which uses a Zig dropper designed to stealthily infect all integrated development environments on a developer’s machine. The technique hinges on an Open VSX extension named specstudio[.]code-wakatime-activity-tracker, masquerading as WakaTime, with the extension no longer available for download.
According to Aikido Security researcher Ilyas Makari, the extension ships a Zig-compiled native binary alongside its JavaScript code, and on Windows installs a binary named win[.]node while macOS uses mac[.]node. Once loaded, the binary searches for every IDE on the system that supports VS Code extensions, downloads a malicious VSIX from an attacker-controlled GitHub account, and silently installs it into every detected IDE.
The final stage sees the downloaded VSIX act as a dropper that communicates with the Solana blockchain to fetch the C2 server, exfiltrate data, and deploy an information-stealing Google Chrome extension, with users told to rotate all secrets if affected.