Researchers have identified a new GlassWorm evolution that uses a Zig-compiled native dropper embedded in a malicious Open VSX extension impersonating WakaTime to stealthily infect multiple IDEs. The dropper installs native Node.js addons, fetches and silently installs a second-stage extension (floktokbok.autoimport) that retrieves C2 info via the Solana blockchain, deploys a RAT and a data-stealing Chrome extension, and users who installed the extensions should assume compromise and rotate all secrets. #GlassWorm #WakaTime #VSCode #Solana #floktokbok_autoimport
Keypoints
- A malicious Open VSX extension named specstudio.code-wakatime-activity-tracker impersonated WakaTime to reach developers.
- The extension packaged Zig-compiled native binaries (win.node/mac.node) that execute outside the JavaScript sandbox.
- The binary searches for IDEs supporting VS Code extensions and downloads a malicious .VSIX (floktokbok.autoimport) from attacker-controlled GitHub.
- The second-stage extension fetches C2 details from the Solana blockchain, avoids Russian systems, exfiltrates data, and installs a RAT plus a Chrome data-stealer.
- Anyone who installed specstudio.code-wakatime-activity-tracker or floktokbok.autoimport should assume compromise and rotate all secrets immediately.
Read More: https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html