Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Critical GlassWorm Malware Spreads Via Trojanized VS Code Extensions
Threats

Critical GlassWorm Malware Spreads Via Trojanized VS Code Extensions

Key Takeaways A malicious extension on the OpenVSX marketplace, disguised as a WakaTime productivity tool, is distributing the GlassWorm malware. The malware employs Zig-compiled native binaries to...

Emy Elsamnoudy
Emy Elsamnoudy
April 10, 2026 4 Min Read
36 0

Key Takeaways

  • A malicious extension on the OpenVSX marketplace, disguised as a WakaTime productivity tool, is distributing the GlassWorm malware.
  • The malware employs Zig-compiled native binaries to infect multiple developer environments simultaneously, including VS Code, Cursor, and Windsurf.
  • GlassWorm establishes a persistent Remote Access Trojan (RAT), exfiltrates data, and installs a malicious Chrome extension, while avoiding Russian systems.
  • Developers should immediately check for and remove the compromised extensions and treat infected machines as fully compromised, rotating all credentials.

A sophisticated supply chain attack is leveraging a trojanized developer extension, hosted on the OpenVSX marketplace, to silently deploy the persistent GlassWorm malware across various code editors on a developer’s system. This malicious package, masquerading as a legitimate productivity tool, utilizes compiled native binaries to infect VS Code, Cursor, Windsurf, and other compatible environments in a single, multi-faceted operation.

Table Of Content

  • Key Takeaways
  • Technical Modus Operandi
  • How the Multi-IDE Infection Works
  • What You Should Do

GlassWorm is not a novel threat; it first emerged in March 2025, initially observed embedding malicious payloads within invisible Unicode characters in npm packages. Over the past year, the campaign has expanded its reach, impacting hundreds of projects across GitHub, npm, and VS Code. Prior to this latest method, its most notable tactic involved deploying a persistent Remote Access Trojan (RAT) via a fraudulent Chrome extension designed to log keystrokes and pilfer session cookies from unsuspecting victims.

Security analysts at Aikido, who have been tracking the GlassWorm campaign for over a year, identified this new infection vector in April 2026. The attack was discovered embedded within an OpenVSX extension named code-wakatime-activity-tracker, published under the specstudio account. Superficially, this malicious extension closely mimics the authentic WakaTime productivity tool, presenting identical command options, API key prompts, and familiar status bar icons to deceive developers.

Technical Modus Operandi

What distinguishes this particular attack from earlier GlassWorm iterations is its innovative use of Zig-compiled native binaries. For Windows systems, the extension includes a file named win.node, identified as a PE32+ DLL. macOS users are targeted with mac.node, a universal Mach-O binary compatible with both Intel and Apple Silicon architectures. These binaries are designed to load directly into Node.js’s runtime, thereby operating with full system access and bypassing typical sandbox protections.

The infection’s reach extends beyond a single editor. Once the native binary executes, it systematically scans the compromised machine for all IDEs that support VS Code’s extension format. This includes, but is not limited to, VS Code, VS Code Insiders, Cursor, Windsurf, VSCodium, and Positron. A malicious extension is then covertly installed into each detected environment. This means a developer using Cursor alongside a VS Code installation would find both development environments silently compromised without any visible alerts.

How the Multi-IDE Infection Works

The infection sequence begins immediately upon the installation of code-wakatime-activity-tracker. The extension’s activate() function, which is normally responsible for initializing the legitimate WakaTime tool, has been subtly altered by the attackers. Before any genuine WakaTime code can execute, this function loads either win.node or mac.node from the extension’s bundled ./bin/ directory and promptly invokes its install() method. This single call initiates the entire subsequent infection chain.

The native binary then establishes contact with a GitHub Releases page under the control of the attacker to download a malicious .vsix file, named autoimport-2.7.9. This package is crafted to resemble steoates.autoimport, a widely used VS Code extension that millions of developers rely on. Upon successful download, the file is surreptitiously force-installed into every IDE discovered on the machine, leveraging each editor’s own command-line installer. Following the completion of the installation, the downloaded .vsix file is deleted to erase forensic traces.

This second-stage extension is the same GlassWorm dropper that Aikido has meticulously analyzed throughout the campaign’s history. It exhibits a deliberate evasion mechanism, refraining from execution on machines configured with Russian system settings, suggesting a specific targeting strategy by its authors. Once activated, the malware communicates with a command-and-control server that operates via the Solana blockchain, significantly complicating efforts by security teams to block or monitor its activities. Subsequently, the malware covertly exfiltrates data from the infected machine and installs a persistent Remote Access Trojan (RAT), alongside a malicious Chrome extension, further entrenching its presence.

What You Should Do

  • Immediately inspect the extension lists within all your IDEs for specstudio/code-wakatime-activity-tracker and floktokbok.autoimport.
  • If either of these extensions is present in any installed editor, consider the machine fully compromised.
  • Rotate all credentials, API keys, and stored secrets accessible from the compromised development environment without delay.
  • Thoroughly review any code repositories connected to the affected machine for signs of tampering, as the attacker had full system access during the infection window.
  • Consider isolating the compromised machine from your network until a full forensic investigation and remediation can be performed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical React Server Components Vulnerability Enables DoS Attacks

Next Post

CPUID Website Compromised to Deliver Malware via HWMonitor and CPU-Z

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us