Back to Home

GlassWorm: Zig-dropper in WakaTime infects IDE

GlassWorm campaign evolved to using Zig-binaries in fake WakaTime and autoimport extensions. Attack infects all VS Code-compatible IDEs on the machine, bypassing JS-sandbox. Recommendations for detection and cleanup.

GlassWorm Zig-attack: all your IDEs under threat
Advertisement 728x90

GlassWorm: Native Zig Dropper Infects All VS Code Editors

A new phase of the GlassWorm campaign uses a fake WakaTime extension on Open VSX to deploy a native Zig binary. This code bypasses the JS sandbox, scans the system, and installs malware into every VS Code-compatible IDE on the machine—from VS Code itself to Cursor and Positron.

Researchers at Aikido Security uncovered the extension code-wakatime-activity-tracker, which mimics the legitimate WakaTime but features a modified activate() function. This function downloads the binary win.node (Windows) or mac.node (macOS), triggering a full infection chain.

Initial Load Mechanism

The activate() function requires the native addon:

Google AdInline article slot
const bw = process.platform === "win32" ? "./bin/win.node" : "./bin/mac.node";
const { install } = require(bw);
install();

These binaries are Node.js native addons (PE32+ DLL on Windows, Mach-O on macOS for x86_64/arm64), compiled using Zig. They inject directly into the Node runtime with OS-level privileges, evading JavaScript sandboxing. Debug symbols in the macOS version point to /Users/davidioasd/Downloads/vsx_installer_zig.

Next, the binary enumerates paths to IDEs:

  • Windows: %LOCALAPPDATA%\Programs\Microsoft VS Code\bin\code.cmd
  • %LOCALAPPDATA%\Programs\Cursor\resources\app\bin\cursor.cmd
  • Similar paths for VS Code Insiders, Windsurf, VSCodium, and Positron.

On macOS: /Applications/*.app for the same editors. If multiple IDEs exist, all are compromised.

Google AdInline article slot

Second Stage: Autoimport Spoofing

The binary downloads the .vsix file floktokbok.autoimport from GitHub Releases (a clone of steoates.autoimport, with over 5 million installs). Each IDE is installed via CLI:

cmd.exe /d /e:ON /v:OFF /c "<ide_path> --install-extension <vsix_path>"

After installation, cleanupVsix() removes traces. The second dropper skips Russian-language locales and uses Solana blockchain for C2 communication (address extracted from wallet transactions). It exfiltrates secrets, deploys a RAT, and installs a Chrome infostealer for cookie harvesting and keylogging.

Attack Trade-offs:

Google AdInline article slot
  • Pros: Native code remains invisible in DevTools; Solana-based C2 resists domain blocking.
  • Cons: Binary hashes remain static until rebuilt; limited to Windows and macOS.

Evolution of GlassWorm

The campaign has been active since March 2025—evolving from Unicode-payload npm packages to GitHub and the VS Code Marketplace. The key shift? Using Zig-based addons instead of JavaScript, requiring OS-level analysis. Hundreds of projects have already been compromised.

Indicators of Compromise

Extensions:

  • specstudio.code-wakatime-activity-tracker
  • floktokbok.autoimport

SHA-256 Binaries:

  • win.node: 2819ea44e22b9c47049e86894e544f3fd0de1d8afc7b545314bd3bc718bf2e02
  • mac.node: 112d1b33dd9b0244525f51e59e6a79ac5ae452bf6e98c310e7b4fa7902e4db44

Strings: vsx_installer_zig, davidioasd

Key Takeaways

  • Native Zig addons bypass JS analysis—monitor .node and .dll files in extensions.
  • Infection is chain-based: one compromised extension infects all VS Code forks on the machine.
  • Solana-based C2: domain blocking is ineffective—blockchain monitoring is essential.
  • Skipping Russian locale indicates targeting—rotate secrets immediately if detected.
  • Prevention: verify publisher and install counts; scan EDR folders for extensions.

Cleanup Steps

  • Check extensions across all IDEs (VS Code, Cursor, etc.).
  • Remove suspicious ones; rotate SSH keys, tokens (npm, GitHub PAT, AWS).
  • Clear Chrome of unknown extensions and log out everywhere.
  • Implement extension whitelisting and EDR for native addons.

— Editorial Team

Advertisement 728x90

Read Next