Cybersecurity researchers have flagged one more evolution of the ongoing GlassWorm marketing campaign, which employs a brand new Zig dropper that is designed to stealthily infect all built-in growth environments (IDEs) on a developer’s machine.
The method has been found in an Open VSX extension named “specstudio.code-wakatime-activity-tracker,” which masquerades as WakaTime, a preferred instrument that measures the time programmers spend inside their IDE. The extension is not out there for obtain.
“The extension […] ships a Zig-compiled native binary alongside its JavaScript code,” Aikido Safety researcher Ilyas Makari stated in an evaluation printed this week.
“This isn’t the primary time GlassWorm has resorted to utilizing native compiled code in extensions. Nevertheless, quite than utilizing the binary because the payload immediately, it’s used as a stealthy indirection for the identified GlassWorm dropper, which now secretly infects all different IDEs it could actually discover in your system.”
The newly recognized Microsoft Visible Studio Code (VS Code) extension is a close to duplicate of WakaTime, save for a change launched in a operate named “activate().” The extension installs a binary named “win.node” on Home windows methods and “mac.node,” a common Mach-O binary if the system is working Apple macOS.
These Node.js native addons are compiled shared libraries which can be written in Zig and cargo immediately into Node’s runtime and execute exterior the JavaScript sandbox with full working system-level entry.
As soon as loaded, the first purpose of the binary is to seek out each IDE on the system that helps VS Code extensions. This contains Microsoft VS Code and VS Code Insiders, in addition to forks like VSCodium, Positron, and a quantity of synthetic intelligence (AI)-powered coding instruments like Cursor and Windsurf.
The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub account. The extension – known as “floktokbok.autoimport” – impersonates “steoates.autoimport,” a official extension with greater than 5 million installs on the official Visible Studio Market.
Within the last step, the downloaded .VSIX file is written to a brief path and silently put in into each IDE utilizing every editor’s CLI installer. The second-stage VS Code extension acts as a dropper that avoids execution on Russian methods, talks to the Solana blockchain to fetch the command-and-control (C2) server, exfiltrates delicate information, and installs a distant entry trojan (RAT), which in the end deploys an information-stealing Google Chrome extension.
Customers who’ve put in “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” are suggested to imagine compromise and rotate all secrets and techniques.
