GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
The GlassWorm campaign uses a Zig-compiled dropper hidden in a fake VS Code extension to infect developer IDEs and install malicious extensions.
What’s new: The GlassWorm campaign has evolved, utilizing a new Zig dropper to infect multiple integrated development environments (IDEs). This was identified in a malicious Open VSX extension named “specstudio.code-wakatime-activity-tracker,” which mimicked the legitimate WakaTime tool. The extension has been removed from download sources. It installs a Zig-compiled binary that targets various IDEs, including Microsoft VS Code and its forks, to download and install additional malicious extensions.
Who’s affected
Developers using Microsoft Visual Studio Code, VS Code Insiders, VSCodium, and other IDEs that support VS Code extensions may be impacted if they have installed the “specstudio.code-wakatime-activity-tracker” or the malicious extension “floktokbok.autoimport.”
What to do
- Assume compromise if you have installed the identified extensions and rotate all secrets immediately.
- Monitor for unusual activity or unauthorized access in your development environments.
- Ensure your IDEs are updated and only install extensions from trusted sources.
