Cybersecurity researchers have warned of further evolution of the ongoing GlassWorm campaign. It employs a new Zig dropper designed to covertly infect all integrated development environments (IDEs) on a developer’s machine.
The technique was discovered in an Open VSX extension named “specstudio.code-wakatime-activity-tracker” that pretends to be WakaTime, a popular tool that measures the time programmers spend inside IDEs. This extension is no longer available for download.
“Extension […] ships Zig-compiled native binaries along with JavaScript code,” Aikido security researcher Ilyas Makari said in an analysis published this week.
“This is not the first time GlassWorm has resorted to using native compiled code in an extension. However, rather than using the binary directly as a payload, it is used as a stealth indirection of the known GlassWorm dropper, which secretly infects all other IDEs it can detect on the system.”
The newly identified Microsoft Visual Studio Code (VS Code) extension is a near-replica of WakaTime, with the exception of changes introduced to a function named “activate().” This extension installs a binary named “win.node” on Windows systems, and a universal Mach-O binary “mac.node” if the system is running Apple macOS.
These Node.js native add-ons are compiled shared libraries written in Zig that are loaded directly into Node’s runtime and run outside of the JavaScript sandbox with full operating system-level access.
The main purpose of the loaded binaries is to find all IDEs on your system that support VS Code extensions. This includes Microsoft VS Code and VS Code Insiders, as well as forks like VSCodium and Positron, and a number of artificial intelligence (AI)-powered coding tools like Cursor and Windsurf.
The binary then downloads a malicious VS Code extension (.VSIX) from an attacker-controlled GitHub account. The extension, called ‘floktokbok.autoimport’, masquerades as the legitimate extension ‘steoates.autoimport’, which has been installed over 5 million times on the official Visual Studio Marketplace.
In the final step, the downloaded .VSIX file is written to a temporary path and installed silently on all IDEs using each editor’s CLI installer. The second stage VS Code extension acts as a dropper to avoid execution on Russian systems, communicating with the Solana blockchain to obtain a command and control (C2) server, exfiltrating sensitive data, installing a remote access trojan (RAT), and finally deploying a Google Chrome extension that steals information.
Users who have installed “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” are advised to rotate all secrets in case of a compromise.
Source link
