Cybersecurity researchers have identified a new evolution of the GlassWorm campaign using a Zig-compiled dropper to target developers. Discovered in a malicious extension on Open VSX masquerading as the WakaTime tool, the malware uses native binaries to bypass JavaScript sandboxes and gain full system-level access on Windows and macOS.
Once active, the Zig binary scans for all installed IDEs, including VS Code forks and AI-powered editors like Cursor and Windsurf. It then silently installs a second-stage malicious extension that communicates via the Solana blockchain to fetch C2 instructions, exfiltrate data, and deploy a remote access trojan (RAT) alongside an information-stealing Chrome extension.
Top comments (0)