GlassWorm: Native Zig Dropper Infects All VS Code Editors
A new phase of the GlassWorm campaign uses a fake WakaTime extension on Open VSX to deploy a native Zig binary. This code bypasses the JS sandbox, scans the system, and installs malware into every VS Code-compatible IDE on the machine—from VS Code itself to Cursor and Positron.
Researchers at Aikido Security uncovered the extension code-wakatime-activity-tracker, which mimics the legitimate WakaTime but features a modified activate() function. This function downloads the binary win.node (Windows) or mac.node (macOS), triggering a full infection chain.
Initial Load Mechanism
The activate() function requires the native addon:
const bw = process.platform === "win32" ? "./bin/win.node" : "./bin/mac.node";
const { install } = require(bw);
install();
These binaries are Node.js native addons (PE32+ DLL on Windows, Mach-O on macOS for x86_64/arm64), compiled using Zig. They inject directly into the Node runtime with OS-level privileges, evading JavaScript sandboxing. Debug symbols in the macOS version point to /Users/davidioasd/Downloads/vsx_installer_zig.
Next, the binary enumerates paths to IDEs:
- Windows:
%LOCALAPPDATA%\Programs\Microsoft VS Code\bin\code.cmd %LOCALAPPDATA%\Programs\Cursor\resources\app\bin\cursor.cmd- Similar paths for VS Code Insiders, Windsurf, VSCodium, and Positron.
On macOS: /Applications/*.app for the same editors. If multiple IDEs exist, all are compromised.
Second Stage: Autoimport Spoofing
The binary downloads the .vsix file floktokbok.autoimport from GitHub Releases (a clone of steoates.autoimport, with over 5 million installs). Each IDE is installed via CLI:
cmd.exe /d /e:ON /v:OFF /c "<ide_path> --install-extension <vsix_path>"
After installation, cleanupVsix() removes traces. The second dropper skips Russian-language locales and uses Solana blockchain for C2 communication (address extracted from wallet transactions). It exfiltrates secrets, deploys a RAT, and installs a Chrome infostealer for cookie harvesting and keylogging.
Attack Trade-offs:
- Pros: Native code remains invisible in DevTools; Solana-based C2 resists domain blocking.
- Cons: Binary hashes remain static until rebuilt; limited to Windows and macOS.
Evolution of GlassWorm
The campaign has been active since March 2025—evolving from Unicode-payload npm packages to GitHub and the VS Code Marketplace. The key shift? Using Zig-based addons instead of JavaScript, requiring OS-level analysis. Hundreds of projects have already been compromised.
Indicators of Compromise
Extensions:
specstudio.code-wakatime-activity-trackerfloktokbok.autoimport
SHA-256 Binaries:
- win.node:
2819ea44e22b9c47049e86894e544f3fd0de1d8afc7b545314bd3bc718bf2e02 - mac.node:
112d1b33dd9b0244525f51e59e6a79ac5ae452bf6e98c310e7b4fa7902e4db44
Strings: vsx_installer_zig, davidioasd
Key Takeaways
- Native Zig addons bypass JS analysis—monitor
.nodeand.dllfiles in extensions. - Infection is chain-based: one compromised extension infects all VS Code forks on the machine.
- Solana-based C2: domain blocking is ineffective—blockchain monitoring is essential.
- Skipping Russian locale indicates targeting—rotate secrets immediately if detected.
- Prevention: verify publisher and install counts; scan EDR folders for extensions.
Cleanup Steps
- Check extensions across all IDEs (VS Code, Cursor, etc.).
- Remove suspicious ones; rotate SSH keys, tokens (npm, GitHub PAT, AWS).
- Clear Chrome of unknown extensions and log out everywhere.
- Implement extension whitelisting and EDR for native addons.
— Editorial Team
No comments yet.