GlassWorm Zig dropper infecting developer IDEs
Malware Activity
Summary
Hide ▲
Show ▼
The GlassWorm malware set now uses a Zig dropper that can silently infect all VS Code-based IDEs on a developer's machine, widening the reach of the compromise. The payload is delivered through a malicious extension chain that can add a second-stage VSIX and move beyond the initial editor. That follow-on activity can exfiltrate sensitive data, install a RAT, and plant an information-stealing Chrome extension. Users of the flagged extensions are told to assume compromise and rotate secrets.
Related Happenings
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignAbout this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
GlassWorm OpenVSX sleeper extension campaign
Campaign
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Snow malware suite deployment by UNC6692
Malware Activity
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Timeline
-
10.04.2026 16:23 2 articles · 1mo ago
GlassWorm Zig dropper disclosed inside fake WakaTime extension
Initial DisclosureResearchers identified a new GlassWorm variant hidden in the Open VSX extension specstudio.code-wakatime-activity-tracker, which masquerades as WakaTime and ships Zig-compiled win.node and mac.node binaries. The binary searches for VS Code-based editors including Microsoft VS Code, VS Code Insiders, VSCodium, Positron, Cursor, and Windsurf, then downloads floktokbok.autoimport from an attacker-controlled GitHub account and silently installs it across those IDEs; the second-stage extension impersonates steoates.autoimport, avoids Russian systems, pulls command-and-control data from the Solana blockchain, exfiltrates sensitive data, deploys a RAT, and installs a malicious Google Chrome extension. Users who installed either extension are advised to assume compromise and rotate secrets.
Show sources
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs — thehackernews.com — 10.04.2026 16:23
- GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs — thehackernews.com — 10.04.2026 16:23