Cybersecurity researchers have flagged one more evolution of the ongoing GlassWorm marketing campaign, which employs a brand new Zig dropper that is designed to stealthily infect all built-in improvement environments (IDEs) on a developer’s machine.
The method has been found in an Open VSX extension named “specstudio.code-wakatime-activity-tracker,” which masquerades as WakaTime, a well-liked software that measures the time programmers spend inside their IDE. The extension is now not accessible for obtain.
“The extension […] ships a Zig-compiled native binary alongside its JavaScript code,” Aikido Safety researcher Ilyas Makari mentioned in an evaluation printed this week.
“This isn’t the primary time GlassWorm has resorted to utilizing native compiled code in extensions. Nonetheless, fairly than utilizing the binary because the payload straight, it’s used as a stealthy indirection for the recognized GlassWorm dropper, which now secretly infects all different IDEs it could discover in your system.”
The newly recognized Microsoft Visible Studio Code (VS Code) extension is a close to reproduction of WakaTime, save for a change launched in a perform named “activate().” The extension installs a binary named “win.node” on Home windows techniques and “mac.node,” a common Mach-O binary if the system is working Apple macOS.
These Node.js native addons are compiled shared libraries which can be written in Zig and cargo straight into Node’s runtime and execute exterior the JavaScript sandbox with full working system-level entry.
As soon as loaded, the first objective of the binary is to search out each IDE on the system that helps VS Code extensions. This contains Microsoft VS Code and VS Code Insiders, in addition to forks like VSCodium, Positron, and a quantity of synthetic intelligence (AI)-powered coding instruments like Cursor and Windsurf.
The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub account. The extension – referred to as “floktokbok.autoimport” – impersonates “steoates.autoimport,” a respectable extension with greater than 5 million installs on the official Visible Studio Market.
Within the remaining step, the downloaded .VSIX file is written to a short lived path and silently put in into each IDE utilizing every editor’s CLI installer. The second-stage VS Code extension acts as a dropper that avoids execution on Russian techniques, talks to the Solana blockchain to fetch the command-and-control (C2) server, exfiltrates delicate knowledge, and installs a distant entry trojan (RAT), which finally deploys an information-stealing Google Chrome extension.
Customers who’ve put in “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” are suggested to imagine compromise and rotate all secrets and techniques.
