GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs

What’s new: The GlassWorm campaign has evolved to use a new Zig dropper that stealthily infects all integrated development environments (IDEs) on a developer’s machine. This was identified in a malicious Open VSX extension named “specstudio.code-wakatime-activity-tracker,” which mimics the legitimate WakaTime tool. The extension has been removed from download sources.

Who’s affected

Developers using Microsoft Visual Studio Code, VS Code Insiders, and various forks such as VSCodium, as well as AI-powered coding tools like Cursor and Windsurf, may be at risk if they installed the malicious extension or the subsequent dropper extension “floktokbok.autoimport.”

What to do

• Assume compromise if you have installed “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport.”
• Rotate all secrets and credentials associated with affected systems.
• Monitor for unusual activity and consider conducting a security audit of your development environment.

Sources

• The Hacker News