~/home/news/glassworm-zig-dropper-hijacks-2026-04-12
newsSunday, April 12, 20268 min read👁 39 views

GlassWorm’s Zig Dropper Hijacks Developer IDEs via Malicious npm Packages

Researchers uncovered a new GlassWorm variant that uses a Zig-compiled dropper hidden in a fake WakaTime VS Code extension. The dropper infects all IDEs on a developer workstation, steals credentials and pivots into production environments.

MalwareSupply ChainIDE SecurityZig

Overview/Introduction

The GlassWorm threat-actor group, known for targeting development environments, has released a sophisticated supply-chain attack that leverages a Zig-compiled native dropper embedded in a counterfeit Visual Studio Code (VS Code) extension. The malicious extension, published under the name specstudio.code-wakatime-activity-tracker, masquerades as the popular time-tracking tool WakaTime. Once installed, the dropper silently infiltrates every IDE capable of loading VS Code extensions-including VS Code, VS Code Insiders, VSCodium, Positron, and AI-assisted editors such as Cursor and Windsurf-before delivering a second-stage payload that exfiltrates credentials, installs a remote-access trojan (RAT), and even drops a malicious Chrome extension.

This campaign is notable for three reasons: the use of Zig, a relatively new systems programming language, to compile the native binary; the exploitation of compromised npm packages as an initial infection vector; and the strategic focus on developer workstations as a foothold for lateral movement into production systems.

Technical Details

The attack chain can be broken down into the following components:

  • Initial delivery via npm: Threat actors compromised several low-profile npm packages that are commonly added as dev-dependencies. These packages contain a post-install script that pulls the malicious VS Code extension from the attacker-controlled GitHub repository.
  • Fake WakaTime extension: The extension specstudio.code-wakatime-activity-tracker mirrors the legitimate WakaTime UI and functionality. In its activate() function the extension extracts a platform-specific native addon-win.node for Windows or mac.node for macOS-bundled alongside the JavaScript payload.
  • Zig-compiled native addon: The .node files are compiled shared libraries written in Zig. When loaded by Node.js, they run outside the JavaScript sandbox with full OS privileges. The binary enumerates installed IDEs by scanning common extension directories (e.g., %USERPROFILE%\.vscode\extensions, ~/.vscode-extensions).
  • Second-stage VSIX download: After locating the target IDEs, the binary contacts an attacker-controlled GitHub account and downloads a malicious VSIX package named floktokbok.autoimport. This package impersonates the legitimate steoates.autoimport extension, which boasts over five million installs on the official VS Marketplace.
  • Silent installation: The binary writes the VSIX to a temporary location and invokes each IDE’s CLI installer (e.g., code --install-extension) to silently add the malicious extension to every detected editor.
  • Command-and-Control via Solana: The second-stage extension contains logic to query the Solana blockchain for a C2 address, effectively using a decentralized, hard-to-block channel.
  • Payload actions: Once active, the extension:
    • Collects stored credentials from Git, SSH keys, and cloud provider CLI configs.
    • Exfiltrates the data to the Solana-derived C2 endpoint.
    • Downloads and executes a RAT that opens a reverse shell for the attacker.
    • Installs a malicious Chrome extension that harvests browsing data and injects adware.
  • Geofencing: The dropper includes a check to abort execution on systems with a Russian locale, likely to avoid attracting law-enforcement attention.

CVE information: At the time of writing, no CVE identifier has been assigned to this specific dropper. Researchers have opened a ticket with MITRE to obtain a CVE-2026-XXXX designation for the vulnerable extension distribution mechanism.

Impact Analysis

The primary victims are developers and DevOps engineers who install VS Code extensions from unverified sources or rely on npm packages without integrity verification. The impact spans:

  • Credential theft: Exfiltration of GitHub, GitLab, Bitbucket tokens, AWS/Azure/GCP access keys, and SSH private keys can give attackers immediate access to code repositories and cloud resources.
  • Lateral movement: With stolen credentials, adversaries can pivot from a developer workstation into CI/CD pipelines, production servers, and internal services.
  • Persistence: The RAT and malicious Chrome extension provide long-term footholds that survive IDE reinstalls, as they embed themselves in user profiles and startup scripts.
  • Supply-chain damage: Compromised npm packages spread the infection to any project that lists them as dependencies, magnifying the attack surface across organizations.

Given the high value of the stolen assets and the potential for rapid escalation, the overall severity of this campaign is classified as high.

Timeline of Events

  • April 2, 2026: Initial malicious npm packages published to the public registry.
  • April 4, 2026: First reports of the fake WakaTime extension observed on GitHub issue trackers.
  • April 5, 2026: Aikido Security researcher Ilyas Makari publishes a preliminary analysis of the Zig dropper.
  • April 7, 2026: The extension is removed from the Open VSX marketplace after community reports.
  • April 9, 2026: Additional compromised npm packages identified, expanding the infection vector.
  • April 10, 2026: Full technical brief released by The Hacker News, highlighting the Solana C2 mechanism.
  • April 12, 2026: This blog post published to inform the broader security community.

Mitigation/Recommendations

  • Remove the malicious extension immediately: Run code --uninstall-extension specstudio.code-wakatime-activity-tracker and code --uninstall-extension floktokbok.autoimport on all affected machines.
  • Delete native binaries: Search for win.node and mac.node in user profile directories and delete them.
  • Audit npm dependencies: Use tools like npm audit, pnpm audit, or third-party SCA solutions to identify and replace compromised packages.
  • Enable extension whitelisting: Configure VS Code’s extensions.autoCheckUpdates and extensions.ignoreRecommendations policies, and enforce a corporate-approved list of extensions via Group Policy or MDM.
  • Monitor network traffic for Solana nodes: Block outbound connections to known Solana RPC endpoints unless explicitly required.
  • Rotate compromised credentials: Assume all stored Git tokens, cloud keys, and SSH keys are compromised; revoke and regenerate them.
  • Implement endpoint detection and response (EDR): Deploy EDR solutions capable of detecting the loading of unsigned native Node.js addons and suspicious VSIX installations.
  • Educate developers: Conduct security awareness training focused on supply-chain hygiene, signed extensions, and the risks of installing unsigned npm packages.

Real-World Impact

Enterprises that rely heavily on remote development environments or allow developers to install extensions without oversight are especially vulnerable. A single compromised workstation can lead to:

  • Unauthorized pushes of malicious code into production repositories.
  • Creation of rogue CI/CD pipelines that exfiltrate build artifacts.
  • Deployment of backdoors into cloud workloads, potentially affecting millions of end-users.

Early adopters of AI-assisted coding tools are also at risk, as the dropper specifically targets extensions used by these platforms, potentially compromising the very AI models that assist developers.

Expert Opinion

GlassWorm’s pivot to Zig is a clear signal that threat actors are embracing newer, less-scrutinized toolchains to evade traditional detection. Zig’s ability to produce small, statically linked binaries without the typical Windows PE signatures makes it attractive for stealthy payloads. Coupled with a supply-chain vector that leverages the ubiquitous npm ecosystem, the campaign raises the bar for “low-effort” developer-focused attacks.

From an industry perspective, this incident underscores the urgent need for:

  • Stricter vetting of IDE extensions, perhaps via a “signed-extension” model similar to mobile app stores.
  • Supply-chain security standards for open-source package registries, including automated provenance verification.
  • Enhanced visibility into native addon loading within Node.js runtimes, something most existing security tools overlook.

Organizations that treat developer workstations as low-risk assets are likely to see a surge in breaches as attackers continue to weaponize the development pipeline. Proactive measures, combined with continuous monitoring, are essential to mitigate the evolving GlassWorm threat.