Malicious VS Code Extension Infects Multiple Developer IDEs in New GlassWorm Campaign
A stealthy Zig-based dropper spreads across development environments, turning IDEs into attack entry points
A new evolution of the GlassWorm campaign highlights a growing risk in developer environments. Attackers are now using malicious extensions to compromise not just one tool—but every IDE installed on a system.
At the center of this campaign is a fake extension named “specstudio.code-wakatime-activity-tracker,” which impersonates the popular time-tracking tool WakaTime.
How the Attack Starts
The attack begins with a seemingly legitimate extension.
Developers install what appears to be a productivity plugin. However, behind the scenes, the extension contains a Zig-compiled native binary.
Unlike typical extensions, this binary:
- Runs outside the JavaScript sandbox
- Gains full operating system access
- Executes stealthily without raising immediate alerts
As a result, attackers bypass traditional extension security boundaries.
The Real Danger: Cross-IDE Infection
Once executed, the malware does something unusual.
Instead of targeting a single IDE, it:
- Scans the system for all compatible development environments
- Identifies tools like Visual Studio Code, VSCodium, Cursor, Windsurf, and others
- Prepares to infect each one
Therefore, a single installation can compromise an entire development ecosystem.
Multi-Stage Infection Chain
The attack follows a structured multi-stage process.
First, the malicious extension deploys the Zig binary. Then, the binary downloads a second-stage malicious extension from an attacker-controlled repository.
Next, the malware silently installs this payload across all detected IDEs. Finally, the second-stage extension executes additional malicious actions.
Because this process happens automatically, developers may remain unaware of the compromise.
What the Malware Does Next
The second-stage payload significantly increases the threat level.
It:
- Communicates with command-and-control servers via blockchain (Solana)
- Exfiltrates sensitive data
- Deploys a remote access trojan (RAT)
- Installs a malicious browser extension targeting Google Chrome
Additionally, the malware avoids execution in specific regions, which helps it evade analysis and detection.
Why This Attack Is Critical
This campaign introduces a dangerous shift in attack strategy.
Instead of targeting infrastructure directly, attackers now target:
- Developer environments
- Software supply chains
- Trusted tools and extensions
Because developers often have access to:
- Source code
- API keys
- Cloud credentials
A successful compromise can lead to large-scale downstream attacks.
What Developers and Organizations Should Do
Immediate action is critical if these extensions are detected.
- Remove malicious extensions immediately
- Rotate all credentials and API keys
- Audit development environments
- Monitor unusual IDE behavior
- Restrict extension installations to trusted sources
In addition, organizations should implement stricter controls around developer tooling.
Strategic Takeaway
This campaign proves that modern attackers are shifting focus.
They are no longer just targeting production systems—they are targeting the tools used to build them.
Because in today’s threat landscape,
compromising a developer’s environment means compromising everything they create.