Listen to this Post
Cybersecurity threats are evolving faster than ever, and developers are now the latest targets. Researchers have uncovered a dangerous new strain of the notorious GlassWorm malware, which is cleverly disguised as a routine IDE extension but can silently compromise multiple coding environments across both Windows and macOS systems. The attack highlights the growing sophistication of cybercriminals and the rising risks for programmers who rely on third-party tools.
How the New GlassWorm Campaign Works
The latest iteration of GlassWorm is being delivered through a malicious Open VSX extension named “specstudio.code-wakatime-activity-tracker.” At first glance, it appears identical to WakaTime, a legitimate tool used by developers to track coding hours. However, this version hides a Zig-compiled native binary alongside JavaScript code, giving it the ability to bypass traditional security measures.
Security analyst Ilyas Makari from Aikido Security explained that the binary doesn’t act as the primary payload. Instead, it serves as a stealthy intermediary, executing the known GlassWorm dropper that targets all IDEs installed on the system. The malicious extension installs win.node on Windows and mac.node on macOS, both of which are compiled Node.js native libraries capable of operating outside the usual JavaScript sandbox.
Once activated, the binary scans the system for IDEs compatible with VS Code extensions, including VS Code, VS Code Insiders, VSCodium, Positron, and AI-based editors like Cursor and Windsurf. After identifying targets, it downloads another malicious VS Code extension called “floktokbok.autoimport,” which impersonates a legitimate extension with millions of installs. This extension is silently installed across all detected IDEs.
The second-stage extension serves multiple malicious purposes. It avoids Russian systems, connects to the Solana blockchain to retrieve the command-and-control server, exfiltrates sensitive data, and installs a remote access trojan (RAT). This RAT can further deploy an information-stealing Chrome extension, putting passwords, cookies, and other private data at risk.
Developers who installed either of these extensions are advised to assume their systems are compromised and rotate all secrets immediately.
What Undercode Says: Deep Analysis of the Threat
Hidden Threats in Developer Tools
The attack highlights a worrying trend: malware targeting development environments. Developers often trust third-party extensions without scrutinizing their internal workings. GlassWorm exploits this trust, using legitimate-looking software to infiltrate systems at scale.
Multi-Layered Malware Strategy
Unlike typical attacks that rely on a single payload, GlassWorm uses a two-stage system. First, the Zig binary acts as a silent conduit, then the secondary VSIX extension executes more advanced operations. This layered approach ensures maximum stealth and resilience against conventional detection methods.
Exploiting Node.js Native Addons
By using Node.js native addons, the malware can bypass JavaScript sandbox restrictions and gain full OS-level access. This is a significant escalation from earlier attacks, demonstrating that GlassWorm can manipulate system-level processes without raising immediate alarms.
Targeting Multiple IDEs and AI Tools
The
Blockchain-Based Command-and-Control
The use of the Solana blockchain for C2 communications is particularly clever. It allows attackers to maintain decentralized, difficult-to-trace command channels, making mitigation and attribution more challenging for cybersecurity teams.
Global Implications for Developers
Developers globally must reassess the security hygiene of their tools, especially extensions from third-party marketplaces. Organizations may need stricter policies and automated verification systems to prevent similar attacks.
The Rise of Impersonation Attacks
By mimicking widely used extensions like WakaTime or AutoImport, attackers exploit user familiarity to avoid suspicion. This technique underscores the importance of verifying extension authorship and source integrity.
Risk to Sensitive Data
The cascading nature of the attack—from IDE infection to RAT installation to Chrome extension deployment—makes it a serious threat to personal and organizational data. Credentials, API keys, and intellectual property can all be at risk.
Lessons for Cybersecurity Practices
Routine auditing of installed extensions, sandboxing development environments, and network monitoring for unusual C2 activity are now essential practices for developers to counter these advanced threats.
Potential for Future Attacks
GlassWorm demonstrates a blueprint for future IDE-targeted malware, particularly as AI-assisted development becomes more prevalent. Vigilance, combined with proactive defense strategies, will be crucial to prevent widespread exploitation.
🔍 Fact Checker Results
GlassWorm targets multiple IDEs, including VS Code and AI-powered editors ✅
The Solana blockchain is used for command-and-control communications ✅
The malicious extensions were removed from official repositories, preventing new downloads ✅
📊 Prediction
The evolution of GlassWorm indicates a rising trend of IDE-focused malware, likely to target AI-assisted coding environments more aggressively. Developers may soon face more sophisticated threats combining native binaries, blockchain-based C2, and extension impersonation, requiring industry-wide improvements in extension verification, monitoring, and incident response. Organizations that adopt preemptive security measures for their development ecosystems will be best positioned to mitigate these emerging risks.
If you want, I can also
create a diagram showing the GlassWorm infection chain, which could make this article visually more compelling for readers.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
