GlassWorm Campaign Deploys Zig Dropper to Target Developer IDEs
The evolving GlassWorm campaign has introduced a new threat targeting developers. The campaign now utilizes a Zig dropper aimed at Integrated Development Environments (IDEs). This sophisticated technique was confirmed through an analysis of a malicious Open VSX extension, initially named “specstudio.code-wakatime-activity-tracker.” This extension pretended to be WakaTime, a widely-used tool for tracking time spent in IDEs, but has since been removed from download platforms.
Malicious Implementation of Zig Dropper
According to Aikido Security researcher Ilyas Makari, the extension delivers a Zig-compiled binary alongside JavaScript code. This method marks a continuation of GlassWorm’s strategy, which includes employing native compiled code within extensions. The recent change involves using the binary for stealthy deployment. Instead of acting as a direct payload, it serves as an indirect means to infect all detectable IDEs on a developer’s machine.
Identified Target: Microsoft Visual Studio Code Extension
The implicated extension closely resembles WakaTime but includes a notable modification in a function called “activate().” Upon installation, it places a binary named “win.node” on Windows machines and “mac.node” on macOS systems. These binaries are designed as Node.js native addons, granting them the ability to load directly into Node’s runtime. This feature allows them to execute outside of the JavaScript sandbox, effectively giving them extensive system access.
Impact on Multiple IDEs
The binary’s primary function is to locate any IDE on the system that supports Visual Studio Code extensions, including:
- Microsoft Visual Studio Code
- VS Code Insiders
- VSCodium
- Positron
- AI-enhanced tools like Cursor and Windsurf
Once detected, it fetches a malicious VS Code extension named “floktokbok.autoimport.” This extension impersonates another legitimate add-on, “steoates.autoimport,” which boasts over five million installs. The process culminates in the downloaded VSIX file being quietly installed across all IDEs using each editor’s CLI installer.
Consequences and Recommendations
The malicious extension acts as a dropper, avoiding execution on systems based in Russia. It connects with the Solana blockchain to access the command-and-control (C2) server, exfiltrate sensitive information, and install a Remote Access Trojan (RAT). This RAT eventually deploys a Google Chrome extension designed for information theft.
For developers who have installed the malicious extensions, it is crucial to take immediate action. Users are strongly advised to assume that their systems are compromised and to rotate any sensitive information accordingly.
