Aikido Security has uncovered a new GlassWorm campaign using a fake WakaTime extension on OpenVSX that bundles a Zig-compiled native Node.js addon. Once loaded, the binary silently scans the developer's machine for all VS Code-compatible IDEs (VS Code, Cursor, Windsurf, VSCodium, Positron) and force-installs a malicious .vsix impersonating the popular autoimport extension into each one. The second-stage implant is the known GlassWorm dropper: it geofences Russian systems, uses a Solana blockchain-based C2, exfiltrates data, and installs a persistent RAT including a malicious Chrome extension. IOCs including file hashes and network indicators are provided.
Table of contents
The dropper: a trojanized extensionInfecting every IDE on the machineThe Second-Stage ExtensionIOCs5 Comments
Sort: