Cybersecurity researchers have flagged yet another evolution of the ongoing **GlassWorm** campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. ### Masquerading as WakaTime The technique was discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masqueraded as WakaTime, a popular tool that measures the time programmers spend inside their IDE. The extension is no longer available for download. "The extension [...] ships a Zig-compiled native binary alongside its JavaScript code," **Aikido Security** researcher Ilyas Makari said in an analysis published this week. "This is not the first time **GlassWorm** has resorted to using native compiled code in extensions. However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known **GlassWorm** dropper, which now secretly infects all other IDEs it can find on your system." ### Technical Deep Dive: The Zig Dropper The newly identified **Microsoft Visual Studio Code** (VS Code) extension is a near replica of WakaTime, save for a change introduced in a function named "activate()." The extension installs a binary named "win.node" on Windows systems and "mac.node," a universal Mach-O binary if the system is running **Apple** macOS. These Node.js native addons are compiled shared libraries that are written in Zig and load directly into Node's runtime and execute outside the JavaScript sandbox with full operating system-level access.  ### Targeting Multiple IDEs Once loaded, the primary goal of the binary is to find every IDE on the system that supports VS Code extensions. This includes **Microsoft VS Code** and VS Code Insiders, as well as forks like VSCodium, Positron, and a number of artificial intelligence (AI)-powered coding tools like Cursor and Windsurf. ### Second-Stage Infection: Impersonating Legitimate Extensions The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled **GitHub** account. The extension – called "floktokbok.autoimport" – impersonates "steoates.autoimport," a legitimate extension with more than 5 million installs on the official Visual Studio Marketplace. In the final step, the downloaded .VSIX file is written to a temporary path and silently installed into every IDE using each editor's CLI installer. The second-stage VS Code extension acts as a dropper that avoids execution on Russian systems, talks to the **Solana** blockchain to fetch the command-and-control (C2) server, exfiltrates sensitive data, and installs a remote access trojan (RAT), which ultimately deploys an information-stealing **Google Chrome** extension. ### Recommendations Users who have installed "specstudio.code-wakatime-activity-tracker" or "floktokbok.autoimport" are advised to assume compromise and rotate all secrets.