GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.

Aikido Security

Aikido Security has uncovered a new GlassWorm campaign using a fake WakaTime extension on OpenVSX that bundles a Zig-compiled native Node.js addon. Once loaded, the binary silently scans the developer's machine for all VS Code-compatible IDEs (VS Code, Cursor, Windsurf, VSCodium, Positron) and force-installs a malicious .vsix impersonating the popular autoimport extension into each one. The second-stage implant is the known GlassWorm dropper: it geofences Russian systems, uses a Solana blockchain-based C2, exfiltrates data, and installs a persistent RAT including a malicious Chrome extension. IOCs including file hashes and network indicators are provided.

GlassWorm goes native: New Zig dropper infects every IDE on your machine

Every IDE = VSCode and forks
Clickbait title

So “every” IDE is just VS Code !?
It doesn’t infect, “real” Visual Studio or IntelliJ !?