好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得通读整篇文章,抓住主要信息。 文章讲的是GlassWorm恶意软件的新动向。他们用Zig编译的二进制文件作为dropper,隐藏在假冒的IDE扩展里。这个二进制文件运行在JavaScript沙盒之外,拥有完整的系统权限。它会扫描系统中的多个IDE,比如VS Code、Cursor和VSCodium,并下载假的扩展安装到这些IDE中,之后删除安装痕迹。 这种攻击方式让GlassWorm能够跨多个开发工具传播,最终下载他们的恶意扩展,窃取数据并安装远程控制木马。文章还提到如果发现恶意扩展,应该立即处理系统为被入侵状态,并更换泄露的凭证。 总结的时候要涵盖攻击手段、技术细节、影响范围以及应对措施。确保不超过100字,同时表达清晰。 </think> GlassWorm恶意软件通过假冒IDE扩展隐藏Zig编译的二进制dropper感染开发者工具,跨平台传播并部署远程控制木马窃取数据。 2026-4-11 16:27:2 Author: securityaffairs.com(查看原文) 阅读量:21 收藏
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign uses a Zig-based dropper hidden in a fake IDE extension to infect developer tools and compromise systems.
The GlassWorm campaign, active since 2025, has evolved from malicious npm packages to large-scale supply chain attacks across GitHub, npm, and VS Code, even deploying RATs via fake browser extensions.
In its latest iteration, threat actors used a malicious OpenVSX extension impersonating WakaTime, bundling a Zig-compiled binary. Instead of acting as the payload, the binary serves as a stealthy dropper that infects multiple IDEs on a system, showing the group’s continuous adaptation.
“This is not the first time GlassWorm resorted to using native compiled code in extensions.” reads the report published by Aikido. “However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your system.”
The binary runs outside the JavaScript sandbox with full system access. It is loaded during activation and silently executes a dropper that scans the machine for IDEs like VS Code, Cursor, and VSCodium, targeting the entire ecosystem.
The malware then downloads a fake extension from GitHub, disguised as a legitimate plugin, and installs it across all detected IDEs using their own tools. Afterward, it deletes traces of the installer. This technique enables stealthy, cross-IDE compromise, making it highly effective in infecting developer environments at scale.
The second-stage extension is the known GlassWorm dropper. The experts noted that it avoids Russian systems and communicates with a Solana-based C2. The malicious code steals data and installs a persistent RAT, including a malicious Chrome extension.
If you find the malicious extensions installed, treat the system as compromised and rotate any exposed credentials.
“If you installed specstudio/code-wakatime-activity-tracker or see floktokbok.autoimport in any of your IDE extension lists, treat your machine as compromised and rotate any secrets that could have been accessed.” concludes the report.
Aikido researchers also provided Indicators of Compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
如有侵权请联系:admin#unsafe.sh