Cybersecurity researchers have uncovered a new wave of the ongoing GlassWorm campaign that targets software developers by infecting multiple coding environments on a single machine.
The attack involves an Open VSX extension called “specstudio.code-wakatime-activity-tracker,” disguised as the popular time-tracking tool WakaTime. The extension has since been removed.
According to Aikido researchers, the extension includes a native binary compiled in Zig, bundled with the JavaScript code. The binary deploys the GlassWorm dropper, allowing the malware to spread across all integrated development environments (IDEs) installed on the system.
The fake extension mimics the real WakaTime plugin, with only minor changes to its internal activation function. Once installed, it drops a file named “win.node” on Windows (or “mac.node” on macOS) that bypasses the usual JavaScript protections and gains full access to the operating system.
The binary then scans the system for IDEs that support Visual Studio Code extensions. Targets include Microsoft VS Code, VS Code Insiders, and related tools such as VSCodium, Cursor, and Windsurf.
The malware then downloads a second malicious extension (“floktokbok.autoimport”) from a GitHub account controlled by the attackers disguised as a legitimate plugin. In its final stage, the malicious extension connects to attacker infrastructure using the Solana blockchain, steals sensitive data, and installs a remote access trojan. It also deploys a malicious Google Chrome extension designed to harvest user information.
Researchers warn that anyone who installed either of the malicious extensions should assume their system has been compromised and rotate all credentials and secrets as soon as possible.