GlassWorm Zig dropper infecting developer IDEs
Malware Activity
Summary
Hide ▲
Show ▼
The GlassWorm malware set now uses a Zig dropper that can silently infect all VS Code-based IDEs on a developer's machine, widening the reach of the compromise. The payload is delivered through a malicious extension chain that can add a second-stage VSIX and move beyond the initial editor. That follow-on activity can exfiltrate sensitive data, install a RAT, and plant an information-stealing Chrome extension. Users of the flagged extensions are told to assume compromise and rotate secrets.
Related Happenings
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
H score39
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignAbout this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Timeline
-
10.04.2026 16:23 2 articles · 3mo ago
GlassWorm Zig dropper disclosed inside fake WakaTime extension
Initial DisclosureResearchers identified a new GlassWorm variant hidden in the Open VSX extension specstudio.code-wakatime-activity-tracker, which masquerades as WakaTime and ships Zig-compiled win.node and mac.node binaries. The binary searches for VS Code-based editors including Microsoft VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf, then downloads floktokbok.autoimport from an attacker-controlled GitHub account and silently installs it across those IDEs; the second-stage extension impersonates steoates.autoimport, avoids Russian systems, pulls command-and-control data from the Solana blockchain, exfiltrates sensitive data, deploys a RAT, and installs a malicious Google Chrome extension. Users who installed either extension are advised to assume compromise and rotate secrets.
Show sources
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs — thehackernews.com — 10.04.2026 16:23
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs — thehackernews.com — 10.04.2026 16:23