Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GlassWorm evolves with Zig dropper to infect multiple developer tools

The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems. The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions. In its latest iteration, threat […]

GlassWorm

The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems.

The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions.

In its latest iteration, threat actors used a malicious OpenVSX extension impersonating WakaTime, bundling a Zig-compiled binary. Instead of acting as the payload, the binary serves as a stealthy dropper that infects multiple IDEs on a system, showing the group’s continuous adaptation.

“This is not the first time GlassWorm resorted to using native compiled code in extensions.” reads the report published by Aikido. “However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your system.”

The binary runs outside the JavaScript sandbox with full system access. It is loaded during activation and silently executes a dropper that scans the machine for IDEs like VS Code, Cursor, and VSCodium, targeting the entire ecosystem.

The malware then downloads a fake extension from GitHub, disguised as a legitimate plugin, and installs it across all detected IDEs using their own tools. Afterward, it deletes traces of the installer. This technique enables stealthy, cross-IDE compromise, making it highly effective in infecting developer environments at scale.

The second-stage extension is the known GlassWorm dropper. The experts noted that it avoids Russian systems and communicates with a Solana-based C2. The malicious code steals data and installs a persistent RAT, including a malicious Chrome extension.

If you find the malicious extensions installed, treat the system as compromised and rotate any exposed credentials.

“If you installed specstudio/code-wakatime-activity-tracker or see floktokbok.autoimport in any of your IDE extension lists, treat your machine as compromised and rotate any secrets that could have been accessed.” concludes the report.

Aikido researchers also provided Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)