Cybersecurity experts have identified new tactics in the ongoing GlassWorm campaign, which is utilizing a novel Zig dropper to covertly compromise integrated development environments (IDEs) on developer systems.
Discovery in Open VSX Extension
The campaign’s latest tactic was uncovered within an Open VSX extension known as “specstudio.code-wakatime-activity-tracker.” This extension mimics WakaTime, a widely-used tool for tracking programming time in IDEs. The extension has been removed from download platforms.
Aikido Security researcher Ilyas Makari highlighted that the extension incorporates a Zig-compiled native binary alongside JavaScript code. This approach is not new for GlassWorm, which has previously employed native code in its extensions. However, this binary serves as a stealthy intermediary for the GlassWorm dropper, enabling it to undetectably infect additional IDEs on the machine.
Impacts on Developer Tools
The compromised Microsoft Visual Studio Code (VS Code) extension closely resembles WakaTime, except for modifications in the “activate()” function. Upon installation, it deploys a binary named “win.node” on Windows or “mac.node” on macOS, depending on the operating system.
These Node.js native addons, written in Zig, operate outside the JavaScript environment with full system-level access. Their primary function is to identify all IDEs compatible with VS Code extensions, including Microsoft VS Code, VS Code Insiders, VSCodium, and others, some of which are AI-enhanced coding tools.
Malicious Extension Deployment
Once identified, the binary downloads a malicious VS Code extension (.VSIX) from a GitHub account controlled by attackers. Named “floktokbok.autoimport,” this extension poses as “steoates.autoimport,” a legitimate tool with over 5 million installations.
In the final stage, the .VSIX file is temporarily stored and discreetly installed into every IDE using each editor’s command-line installer. This secondary VS Code extension serves as a dropper, avoiding execution on Russian systems, connecting to the Solana blockchain for command-and-control server information, and exfiltrating sensitive data. It also installs a remote access trojan (RAT) that deploys a data-stealing Google Chrome extension.
Protective Measures and Recommendations
Developers who have installed “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” should assume their systems are compromised and immediately rotate all security credentials.
Staying informed about such threats is crucial for maintaining cybersecurity in development environments. Regularly updating software and extensions, alongside vigilant monitoring for suspicious activities, can help mitigate risks posed by campaigns like GlassWorm.
