Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
GlassWorm Campaign Targets Developer IDEs with Zig Dropper

GlassWorm Campaign Targets Developer IDEs with Zig Dropper

Posted on April 10, 2026 By CWS

Cybersecurity experts have identified new tactics in the ongoing GlassWorm campaign, which is utilizing a novel Zig dropper to covertly compromise integrated development environments (IDEs) on developer systems.

Discovery in Open VSX Extension

The campaign’s latest tactic was uncovered within an Open VSX extension known as “specstudio.code-wakatime-activity-tracker.” This extension mimics WakaTime, a widely-used tool for tracking programming time in IDEs. The extension has been removed from download platforms.

Aikido Security researcher Ilyas Makari highlighted that the extension incorporates a Zig-compiled native binary alongside JavaScript code. This approach is not new for GlassWorm, which has previously employed native code in its extensions. However, this binary serves as a stealthy intermediary for the GlassWorm dropper, enabling it to undetectably infect additional IDEs on the machine.

Impacts on Developer Tools

The compromised Microsoft Visual Studio Code (VS Code) extension closely resembles WakaTime, except for modifications in the “activate()” function. Upon installation, it deploys a binary named “win.node” on Windows or “mac.node” on macOS, depending on the operating system.

These Node.js native addons, written in Zig, operate outside the JavaScript environment with full system-level access. Their primary function is to identify all IDEs compatible with VS Code extensions, including Microsoft VS Code, VS Code Insiders, VSCodium, and others, some of which are AI-enhanced coding tools.

Malicious Extension Deployment

Once identified, the binary downloads a malicious VS Code extension (.VSIX) from a GitHub account controlled by attackers. Named “floktokbok.autoimport,” this extension poses as “steoates.autoimport,” a legitimate tool with over 5 million installations.

In the final stage, the .VSIX file is temporarily stored and discreetly installed into every IDE using each editor’s command-line installer. This secondary VS Code extension serves as a dropper, avoiding execution on Russian systems, connecting to the Solana blockchain for command-and-control server information, and exfiltrating sensitive data. It also installs a remote access trojan (RAT) that deploys a data-stealing Google Chrome extension.

Protective Measures and Recommendations

Developers who have installed “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” should assume their systems are compromised and immediately rotate all security credentials.

Staying informed about such threats is crucial for maintaining cybersecurity in development environments. Regularly updating software and extensions, alongside vigilant monitoring for suspicious activities, can help mitigate risks posed by campaigns like GlassWorm.

The Hacker News Tags:Blockchain, Cybersecurity, developer security, GlassWorm, Google Chrome extension, IDE infection, Malware, remote access trojan, VS Code, Zig dropper

Post navigation

Previous Post: Critical Juniper Networks Flaw Exposes Devices to Attacks
Next Post: Juniper Networks Fixes Critical Junos OS Security Flaws

Related Posts

Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks The Hacker News
Enterprise Browsers vs. Secure Browser Extensions Enterprise Browsers vs. Secure Browser Extensions The Hacker News
How Can Retailers Cyber-Prepare for the Most Vulnerable Time of the Year? How Can Retailers Cyber-Prepare for the Most Vulnerable Time of the Year? The Hacker News
Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network The Hacker News
Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer The Hacker News
China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations
  • Palo Alto Networks Fixes Critical Security Flaws
  • Windows Update Installs LG App with McAfee Ads

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark