The GlassWorm campaign has evolved, now employing a novel Zig dropper designed to stealthily infect integrated development environments (IDEs). This sophisticated technique was identified in an Open VSX extension, "specstudio.code-wakatime-activity-tracker," which cunningly impersonates the legitimate WakaTime tool. This extension installs a Zig-compiled native binary, win.node or mac.node, allowing it to operate outside the JavaScript sandbox with full operating system-level access.
Once executed, the binary's primary objective is to detect every IDE on the developer's machine that supports VS Code extensions, including Microsoft VS Code, VSCodium, and even AI-powered coding tools. It then proceeds to download and surreptitiously install a second-stage malicious VS Code extension, "floktokbok.autoimport," into all identified IDEs, bypassing user interaction. This secondary extension itself mimics a legitimate tool, enhancing its stealth.
The "floktokbok.autoimport" extension functions as a potent dropper. It incorporates anti-analysis features by avoiding execution on Russian systems, utilizes the Solana blockchain to retrieve its command-and-control (C2) server details, exfiltrates sensitive user data, and ultimately deploys a remote access trojan (RAT) alongside an information-stealing Google Chrome extension. Users who have installed either of the malicious extensions are strongly advised to assume compromise and immediately rotate all sensitive credentials and secrets.
Top comments (0)