GlassWorm Campaign Deploys Zig Dropper via Malicious VS Code Extension, Targeting Developer IDEs
What Happened — Researchers identified a new GlassWorm variant that delivers a Zig‑based dropper through a rogue Open VSX extension (“specstudio.code‑wakatime‑activity‑tracker”) masquerading as the legitimate WakaTime telemetry tool. The dropper silently installs on any integrated development environment (IDE) present on the infected workstation, providing the threat actor with persistent foothold and the ability to download additional payloads.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used developer tool can cascade to downstream software products and services.
- Persistent malware on development machines enables credential theft, code exfiltration, and insertion of back‑doors into proprietary codebases.
- Third‑party extension marketplaces are often under‑monitored, creating blind spots for vendor risk programs.
Who Is Affected — Software development firms, SaaS providers, open‑source project maintainers, and any organization that allows developers to install extensions from public IDE marketplaces.
Recommended Actions —
- Audit all IDE extensions installed across your development fleet; remove any that are not officially vetted.
- Enforce a whitelist policy for approved extensions and require digital‑signature verification before installation.
- Monitor for anomalous network traffic from developer workstations (e.g., outbound connections to unknown C2 domains).
- Update endpoint protection with heuristics for Zig‑based binaries and malicious dropper behavior.
Technical Notes — The malicious extension is signed with a valid certificate, evading basic signature checks. It leverages the Zig programming language to compile a small, low‑profile dropper that executes via the IDE’s extension host process. No CVE is directly exploited; the attack relies on trust in the extension ecosystem. Data exfiltrated may include source code, API keys, and developer credentials. Source: The Hacker News