Full Report
Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a
Analysis Summary
# Tool/Technique: Zig Dropper (GlassWorm Campaign)
## Overview
This tool is a native Node.js addon compiled using the Zig programming language. It is distributed via malicious IDE extensions (specifically for VS Code) and acts as an advanced dropper. Its primary purpose is to move laterally across all installed Integrated Development Environments (IDEs) on a victim's machine to ensure persistent and widespread infection within a developer's workflow.
## Technical Details
- **Type:** Malware (Dropper / Native Node.js Addon)
- **Platform:** Windows (win.node), macOS (mac.node - Universal Mach-O)
- **Capabilities:** Lateral movement across IDEs, downloading secondary payloads, bypassing JavaScript sandboxes, operating system-level access.
- **First Seen:** April 2026 (Detailed in reports as an evolution of the 2025/2026 GlassWorm campaign).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain (via Open VSX/Marketplace extensions)
- **TA0003 - Persistence**
- T1546 - Event Triggered Execution (via IDE startup/activation)
- **TA0005 - Defense Evasion**
- T1204.002 - User Execution: Malicious File (impersonating legitimate extensions)
- T1027 - Obfuscated Files or Information (Native compiled code in Zig)
- **TA0007 - Discovery**
- T1518 - Software Discovery (Scanning for VS Code forks and AI IDEs)
- **TA0011 - Command and Control**
- T1584.005 - Compromise Infrastructure: Botnet (Using Solana blockchain for C2 resolution)
## Functionality
### Core Capabilities
- **IDE Proliferation:** Scans the system for all compatible IDEs, including VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf.
- **Payload Delivery:** Downloads a second-stage malicious extension (`.VSIX`) from a GitHub repository.
- **Silent Installation:** Uses the Command Line Interface (CLI) installers of discovered editors to silently install the second-stage payload into every environment.
- **Native Execution:** Uses Zig-compiled native binaries (`.node` files) to execute outside the standard Node.js/Electron JavaScript sandbox.
### Advanced Features
- **Blockchain C2 Resolution:** Uses the Solana blockchain as a "dead drop" or resolution mechanism to find the current Command and Control server.
- **Geofencing:** Features a check to prevent execution on systems localized to Russia.
- **Impersonation:** Masquerades as popular legitimate extensions like "WakaTime" and "Auto Import" to deceive developers.
## Indicators of Compromise
- **File Names:**
- `win.node` (Windows payload)
- `mac.node` (macOS payload)
- `specstudio.code-wakatime-activity-tracker` (Initial malicious extension)
- `floktokbok.autoimport` (Second-stage dropped extension)
- **Network Indicators:**
- `github[.]com/ColossusQuailPray` (Payload hosting)
- Solana Blockchain (used for C2 retrieval)
- **Behavioral Indicators:**
- Unexpected calls to IDE CLI tools (e.g., `code --install-extension`) from within an existing extension.
- Large binary files (`.node`) located within an extension's folder that are not part of the official developer's build.
## Associated Threat Actors
- **GlassWorm** (Also known for using Solana-based C2 infrastructure).
## Detection Methods
- **Behavioral Detection:** Monitoring for IDE processes spawning CLI commands to install new extensions, especially when initiated by a sub-process of an existing extension.
- **Static Analysis:** Scanning VS Code extension directories for native `.node` files compiled with Zig that are not attributed to known, verified publishers.
- **Supply Chain Monitoring:** Using tools to verify the integrity and publisher identity of Open VSX and VS Marketplace extensions.
## Mitigation Strategies
- **Extension Vetting:** Only install extensions from verified publishers and cross-reference install counts with official marketplace data.
- **Environment Isolation:** Use dev containers or isolated virtual machines for development to prevent malware from spreading to the host's other IDEs.
- **Credential Rotation:** If compromised, immediately rotate all API keys, SSH keys, and environment secrets stored within the IDE or local environment.
- **CLI Monitoring:** Restrict or monitor the use of IDE "install-extension" commands via EDR solutions.
## Related Tools/Techniques
- **WakaTime:** The legitimate tool being impersonated.
- **Auto Import (steoates.autoimport):** The legitimate extension being spoofed as the second-stage payload.
- **Native Node Addons:** The technique of using compiled C++/Zig/Rust code to escape JavaScript environment limitations.