Cybersecurity researchers have flagged yet one more evolution of the ongoing GlassWorm marketing campaign, which employs a brand new Zig dropper that is designed to stealthily infect all built-in growth environments (IDEs) on a developer’s machine.
The approach has been found in an Open VSX extension named “specstudio.code-wakatime-activity-tracker,” which masquerades as WakaTime, a well-liked software that measures the time programmers spend inside their IDE. The extension is now not obtainable for obtain.
“The extension […] ships a Zig-compiled native binary alongside its JavaScript code,” Aikido Safety researcher Ilyas Makari stated in an evaluation printed this week.
“This isn’t the primary time GlassWorm has resorted to utilizing native compiled code in extensions. Nonetheless, reasonably than utilizing the binary because the payload instantly, it’s used as a stealthy indirection for the identified GlassWorm dropper, which now secretly infects all different IDEs it may discover in your system.”
The newly recognized Microsoft Visible Studio Code (VS Code) extension is a close to reproduction of WakaTime, save for a change launched in a operate named “activate().” The extension installs a binary named “win.node” on Home windows methods and “mac.node,” a common Mach-O binary if the system is working Apple macOS.
These Node.js native addons are compiled shared libraries which might be written in Zig and cargo instantly into Node’s runtime and execute outdoors the JavaScript sandbox with full working system-level entry.
As soon as loaded, the first purpose of the binary is to search out each IDE on the system that helps VS Code extensions. This contains Microsoft VS Code and VS Code Insiders, in addition to forks like VSCodium, Positron, and a quantity of synthetic intelligence (AI)-powered coding instruments like Cursor and Windsurf.
The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub account. The extension – known as “floktokbok.autoimport” – impersonates “steoates.autoimport,” a legit extension with greater than 5 million installs on the official Visible Studio Market.
Within the last step, the downloaded .VSIX file is written to a short lived path and silently put in into each IDE utilizing every editor’s CLI installer. The second-stage VS Code extension acts as a dropper that avoids execution on Russian methods, talks to the Solana blockchain to fetch the command-and-control (C2) server, exfiltrates delicate information, and installs a distant entry trojan (RAT), which in the end deploys an information-stealing Google Chrome extension.
Customers who’ve put in “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” are suggested to imagine compromise and rotate all secrets and techniques.
