GlassWorm Uses Zig Dropper in Fake WakaTime Extension

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- GlassWorm employed a new Zig dropper that stealthily infects all IDEs on a developer’s machine, expanding its campaign capabilities.
- specstudio.code-wakatime-activity-tracker extension, masquerading as the popular WakaTime tool, shipped a Zig‑compiled native binary (“win.node” on Windows, “mac.node” on macOS) alongside its JavaScript code.
- The Zig binary loads directly into Node’s runtime, bypasses the JavaScript sandbox, and scans the system for any IDE supporting VS Code extensions, including VS Code, VSCodium, Positron, Cursor, and Windsurf.
- floktokbok.autoimport malicious VS Code extension, impersonating the legitimate “steoates.autoimport” with over 5 million installs, is silently downloaded from an attacker‑controlled GitHub account and installed into every detected IDE via CLI.
- The second‑stage extension avoids execution on Russian systems, contacts the Solana blockchain to retrieve its C2 server, exfiltrates data, installs a RAT, and ultimately deploys an information‑stealing Google Chrome extension.
Why it matters: Developers who installed the fake WakaTime extension now face full OS‑level compromise, giving attackers the ability to harvest code, credentials, and other secrets across all their IDEs, while the silent chain of malicious extensions expands the threat surface of the software development tooling ecosystem.


