Pierluigi Paganini
April 11, 2026
The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions.
In its latest iteration, threat actors used a malicious OpenVSX extension impersonating WakaTime, bundling a Zig-compiled binary. Instead of acting as the payload, the binary serves as a stealthy dropper that infects multiple IDEs on a system, showing the group’s continuous adaptation.
“This is not the first time GlassWorm resorted to using native compiled code in extensions.” reads the report published by Aikido. “However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your system.”
The binary runs outside the JavaScript sandbox with full system access. It is loaded during activation and silently executes a dropper that scans the machine for IDEs like VS Code, Cursor, and VSCodium, targeting the entire ecosystem.
The malware then downloads a fake extension from GitHub, disguised as a legitimate plugin, and installs it across all detected IDEs using their own tools. Afterward, it deletes traces of the installer. This technique enables stealthy, cross-IDE compromise, making it highly effective in infecting developer environments at scale.
The second-stage extension is the known GlassWorm dropper. The experts noted that it avoids Russian systems and communicates with a Solana-based C2. The malicious code steals data and installs a persistent RAT, including a malicious Chrome extension.
If you find the malicious extensions installed, treat the system as compromised and rotate any exposed credentials.
“If you installed specstudio/code-wakatime-activity-tracker or see floktokbok.autoimport in any of your IDE extension lists, treat your machine as compromised and rotate any secrets that could have been accessed.” concludes the report.
Aikido researchers also provided Indicators of Compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
Cybercrime
GlassWorm malware
Hacking
hacking news
information security news
IT Information Security
malware
Pierluigi Paganini
Security Affairs
Security News
