Find notable cyber news and cases, enriched with sources, timelines, and signals.

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The GlassWorm malware set now uses a Zig dropper that can silently infect all VS Code-based IDEs on a developer's machine, widening the reach of the compromise. The payload is delivered through a malicious extension chain that can add a second-stage VSIX and move beyond the initial editor. That follow-on activity can exfiltrate sensitive data, install a RAT, and plant an information-stealing Chrome extension. Users of the flagged extensions are told to assume compromise and rotate secrets.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
H score34 First: 09.06.2026 12:13 Last: 09.06.2026 12:13 Sources 1

About this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...

SEO-poisoned GitHub facade campaign targeting enterprise admin tools

Campaign
H score39 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
H score23 First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Timeline

  1. 10.04.2026 16:23 2 articles · 3mo ago

    GlassWorm Zig dropper disclosed inside fake WakaTime extension

    Initial Disclosure

    Researchers identified a new GlassWorm variant hidden in the Open VSX extension specstudio.code-wakatime-activity-tracker, which masquerades as WakaTime and ships Zig-compiled win.node and mac.node binaries. The binary searches for VS Code-based editors including Microsoft VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf, then downloads floktokbok.autoimport from an attacker-controlled GitHub account and silently installs it across those IDEs; the second-stage extension impersonates steoates.autoimport, avoids Russian systems, pulls command-and-control data from the Solana blockchain, exfiltrates sensitive data, deploys a RAT, and installs a malicious Google Chrome extension. Users who installed either extension are advised to assume compromise and rotate secrets.

    Show sources