A persistent and evolving threat actor known as GlassWorm has resurfaced, this time with a significant technical leap: deploying a Zig-compiled native binary within a trojanized OpenVSX extension that silently compromises every VS Code-compatible IDE installed on a developer’s system.
Researchers at Aikido Security, who have been tracking GlassWorm for over a year, disclosed the new campaign on April 10, 2026, warning that the group continues to iterate and sharpen its tradecraft at a concerning pace.
GlassWorm Malware Hijacks
GlassWorm first appeared in March 2025, when it uncovered malicious npm packages that concealed payloads inside invisible Unicode characters, an obfuscation technique designed to evade visual code review.
Since then, the group has steadily expanded its footprint, compromising hundreds of projects across GitHub, npm, and VS Code, and, most recently, delivering a persistent Remote Access Trojan (RAT) via a fake Chrome extension that logs keystrokes and dumps session cookies.
The latest campaign marks what is described as a “meaningful jump.” Rather than relying solely on JavaScript-based tricks, GlassWorm now bundles Zig-compiled native binaries directly inside a malicious extension, using them as a stealthy indirection layer to deploy the group’s known dropper payload.
The shift to native compiled code significantly reduces the attack’s visibility to standard JavaScript-based security tooling.
Trojanized WakaTime Extension
The attack vector is an OpenVSX extension called code-wakatime-activity-tracker, designed to impersonate WakaTime, the widely used developer time-tracking tool with a large and trusted user base.
On the surface, the malicious extension is nearly indistinguishable from the legitimate one: it registers the same commands, prompts for an API key, and displays the expected status bar icons.
The divergence is buried inside the activate() function. Before any WakaTime logic executes, the extension loads a native binary from a bundled ./bin/ directory and immediately calls install(). On Windows, this binary is win.node a PE32+ DLL.
On macOS, it is mac.node, a universal Mach-O binary covering both x86_64 and arm64 architectures. Both files are Node.js native addons: compiled shared libraries that load directly into Node’s runtime and execute entirely outside the JavaScript sandbox, with full OS-level access.
Both binaries are written in Zig. Notably, the macOS binary was compiled with debug symbols intact, exposing a developer project path /Users/davidioasd/Downloads/vsx_installer_zig a potential operational security slip by the threat actor.
Spreading Across the Entire IDE Ecosystem
Once loaded, the binary’s primary task is to enumerate all IDEs installed on the machine that support the VS Code extension format.
This is not a narrowly scoped VS Code attack. On Windows, the binary checks for installations of VS Code, VS Code Insiders, Cursor, Windsurf, VSCodium, and Positron across both %LOCALAPPDATA%\Programs\ %ProgramFiles%\. The macOS binary performs the same sweep across /Applications/, covering the same editor lineup.
A developer who uses Cursor as their primary editor but has VS Code installed as a secondary tool would find both editors compromised after a single infection.
The attack effectively treats the entire VS Code-compatible ecosystem as a single target surface.
With the IDE list assembled, the binary fetches a malicious .vsix package from a GitHub Releases page under the attacker-controlled repository. ColossusQuailPray/oiegjqde.
The downloaded package impersonates steoates. autoimport, a legitimate and widely trusted VS Code extension with millions of installs.
It .vsix is written to a temporary path and silently force-installed into every IDE discovered on the machine using each editor’s own CLI installer. On Windows, this runs through cmd.exe. Once installation completes, the dropper deletes the downloaded file to erase evidence of the activity.
Second-Stage RAT Dropper
The force-installed extension is the same GlassWorm dropper that has been tracking in previous campaigns. It includes geofencing logic that excludes Russian-language systems, as well as a behavioral pattern consistent with threat actors operating from or aligned with Russia-adjacent infrastructure.
The dropper communicates with a command-and-control (C2) server routed through the Solana blockchain, a technique that makes C2 infrastructure harder to detect and take down. In previous iterations, the dropper was confirmed to perform covert data exfiltration, deploy a persistent RAT, and install a malicious Chrome browser extension.
The use of blockchain-based C2, combined with native compiled payloads and multi-IDE targeting, reflects a deliberate effort by GlassWorm to frustrate both detection and attribution.
Detection and Mitigation
Aikido urges any developer who has installed specstudio/coIn-wakatime-activity-tracker or finds floktokbok. autoimport in any IDE extension list, treat the machine as fully compromised, and rotate all secrets, tokens, and credentials that may have been accessible.
Users should filter their central feed for malware issues and trigger a manual rescan immediately, as this surfaces as a 100/100 critical severity finding.
For broader team-wide coverage, the Endpoint Protection product provides visibility across browser extensions, code libraries, IDE plugins, and build dependencies.
Developers seeking open-source pipeline protection can also deploy Safe Chain, which intercepts npm, npx, yarn, pnpm, and pnpx commands and checks packages against Intel before installation.
The GlassWorm campaign is a stark reminder that the software supply chain attack surface now extends deep into developer tooling and that trusted extension marketplaces remain a high-value target.
FAQ
Q: What is GlassWorm? GlassWorm is a persistent threat actor group targeting developers through malicious packages and extensions on npm, GitHub, and VS Code-compatible marketplaces since March 2025.
Q: Which IDEs are affected by this latest campaign? The attack targets VS Code, VS Code Insiders, Cursor, Windsurf, VSCodium, and Positron on both Windows and macOS systems.
Q: How does the malicious extension avoid detection? It uses a Zig-compiled native Node.js addon that executes outside the JavaScript sandbox with full OS-level access, bypassing standard JS-based security tooling.
Site: thecybrdef.com
About the Author
