About GlassWorm campaign
Cybersecurity experts have discovered another incident of the ongoing GlassWorm campaign, which uses a new Zig dropper that’s built to secretly compromise all integrated development environments (IDEs) on a developer’s system.
The tactic was found in an Open VSX extension called “specstudio.code-wakatime-activity-tracker”, which disguised as WakaTime, a famous tool that calculates the time programmes spend with the IDE. The extension can not be downloaded now.
Attack tactic
In previous attacks, GlassWorm used the same native compiled code in extensions. Instead of using the binary as the payload directly, it is deployed as a covert indirection for the visible GlassWorm dropper. It can secretly compromise all other IDEs that may be present in your device.
The recently discovered Microsoft Visual Studio Code (VS Code) extension is a replica (almost).
The extension installs a universal Mach-O binary called “mac.node,” if the system is running Apple macOS, and a binary called “win.node” for Windows computers.
Execution
These Zig-written compiled shared libraries that load straight into Node’s runtime and run outside of the JavaScript sandbox with complete operating system-level access are Node.js native addons.
Finding every IDE on the system that supports VS Code extensions is the binary’s main objective once it has been loaded. This includes forks like VSCodium, Positron, and other AI-powered coding tools like Cursor and Windsurf, in addition to Microsoft VS Code and VS Code Insiders.
Malicious code installation
Once this is achieved, the binary installs an infected VS Code extension (.VSIX) from a hacker-owned GitHub account. The extension, known as “floktokbok.autoimport”, imitates “steoates.autoimport”, an authentic extension with over 5 million downloads on the office Visual Studio Marketplace.
After that, the installed .VSIX file is written to a secondary path and secretly deployed into each IDE via editor’s CLI installer.
In the second-stage, VS Code extension works as a dropper that escapes deployment on Russian devices, interacts with the Solana blockchain, gets personal data, and deploys a remote access trojan (RAT). In the final stage, RAT installs a data-stealing Google Chrome extension.
“The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump,” cybersecurity firm aikido reported.
Read the original article: