New GlassWorm Dropper Written in Zig Targets Developer Workstations via Malicious VSX Extension

GlassWorm Campaign Evolves, Uses Zig-Based Dropper to Infect All Developer IDEs

HIGH
April 11, 2026
April 29, 2026
5m read
MalwareSupply Chain AttackThreat Actor

Related Entities(initial)

Threat Actors

GlassWorm

Products & Tech

Integrated Development Environments (IDEs)Open VSXWakaTimeZig

MITRE ATT&CK Techniques

T1082Discovery

System Information Discovery

T1137Persistence

Office Application Startup

T1195.001Initial Access

Compromise Software Dependencies and Directories

T1195.002Impact

Compromise Software Supply Chain

T1547.001Persistence

Registry Run Keys / Startup Folder

Full Report(when first published)

Executive Summary

Cybersecurity researchers have identified a significant evolution in the GlassWorm campaign, a persistent threat targeting software developers. The campaign's operators have deployed a new dropper, notable for being written in the emerging Zig programming language, likely to evade signature-based detection. The malware was found distributed via a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker, which impersonates a legitimate productivity tool. The dropper's primary, and highly concerning, function is to enumerate and infect all Integrated Development Environments (IDEs) on a developer's workstation. This provides the attackers with a powerful and persistent foothold directly within the code creation process, representing a severe threat to the software supply chain.

Threat Overview

What Happened: The GlassWorm campaign is using a trojanized Visual Studio Code extension available on the Open VSX marketplace to trick developers into installing malware.

Attack Vector:

  • Distribution: A malicious extension named specstudio.code-wakatime-activity-tracker that mimics the popular WakaTime tool.
  • Payload: The extension contains a dropper written in the Zig programming language.
  • Action: Upon execution, the dropper scans the developer's machine for all installed IDEs (e.g., Visual Studio Code, JetBrains IDEs, Eclipse) and infects them.

Threat Actor: The activity is attributed to the operators of the GlassWorm campaign, a group known for targeting developers.

Impact: By compromising the IDE itself, the attackers can:

  • Steal source code and intellectual property.
  • Inject malicious code into legitimate software projects during the build process (T1195.002 - Compromise Software Supply Chain).
  • Steal credentials, API keys, and other secrets stored or used within the IDE.
  • Maintain long-term, stealthy persistence on a high-value target's machine.

Technical Analysis

The use of the Zig programming language is a notable feature of this campaign. As a newer, less common language, it may be used to bypass security tools that have poor support for analyzing Zig binaries. It also indicates a technically proficient adversary keeping up with modern development trends.

Tactics, Techniques, and Procedures (TTPs)

  1. Initial Access (T1195.001 - Compromise Software Dependencies and Directories): The attack begins with the developer installing the malicious Open VSX extension, a form of software dependency compromise.
  2. Defense Evasion (T1140 - Deobfuscate/Decode Files or Information): The dropper is likely packed or obfuscated within the extension's code.
  3. Discovery (T1082 - System Information Discovery): The dropper must scan the file system and registry to find the installation paths of all other IDEs on the system.
  4. Persistence & Defense Evasion (T1137 - Office Application Startup): While the technique name is specific to Office, the concept is identical. By infecting the IDEs' configuration files or plugins, the malware ensures it is executed every time the developer starts their work environment. This is a form of 'IDE Application Startup' persistence.

The choice to target all IDEs on a machine is a sign of a thorough and determined attacker. They are not just compromising one tool, but the developer's entire toolchain to ensure persistence even if one IDE is cleaned or uninstalled.

Impact Assessment

The impact of compromising a developer's primary workspace is catastrophic for software supply chain security. A single compromised developer at a major software vendor, open-source project, or corporation can become a patient zero, unknowingly shipping malicious code to thousands or millions of downstream users. The business impact includes direct financial loss from theft of intellectual property, costs of responding to the incident, reputational damage, and potential liability for distributing compromised software. This attack vector is highly efficient for espionage and sabotage, making it a favored technique for advanced threat actors.

Detection & Response

Detection:

  • Extension Auditing: Security teams should audit the IDE extensions used by developers. Scrutinize extensions from non-official marketplaces or less-known publishers. (D3FEND Technique: D3-SFA: System File Analysis)
  • Endpoint Monitoring (EDR): An EDR solution can detect the dropper's behavior, such as a VS Code process writing to the configuration files of a JetBrains IDE. This cross-application modification is highly anomalous and a strong indicator of compromise. (D3FEND Technique: D3-PA: Process Analysis)
  • Network Monitoring: Monitor for unexpected outbound connections from IDE processes. A compromised IDE might try to connect to a C2 server.

Response:

  1. Isolate Machine: Immediately disconnect the compromised developer's machine from the network.
  2. Full Re-image: Due to the deep level of persistence, the only safe response is to completely wipe and re-image the machine. Do not attempt to simply 'clean' the IDEs.
  3. Credential Rotation: Rotate all credentials the developer has access to, including code repository access, cloud keys, and database passwords.
  4. Code Audit: Conduct an emergency audit of all code committed by the developer since the suspected time of compromise.

Mitigation

  1. Restrict Extensions: Implement a corporate policy that only allows the installation of approved and vetted IDE extensions from official marketplaces. Use features within IDEs to enforce this policy. (MITRE Mitigation: M1033 - Limit Software Installation)
  2. Developer Security Training: Train developers on the risks of third-party extensions and how to spot fakes (e.g., checking publisher reputation, number of downloads, reviews). (MITRE Mitigation: M1017 - User Training)
  3. Application Sandboxing: Where possible, run IDEs in a sandboxed or virtualized environment to limit their ability to access and modify other parts of the system.
  4. Principle of Least Privilege: Ensure developer accounts do not have administrative privileges on their workstations. This can prevent a malicious extension from being able to write to system-wide directories or infect other users' applications.

Timeline of Events

1
April 11, 2026
This article was published

Article Updates

April 29, 2026

Severity increased

New wave of 73 'sleeper' VS Code extensions from GlassWorm campaign identified, using delayed payload fetching for increased evasion.

The GlassWorm campaign has launched a new wave involving 73 malicious 'sleeper' extensions on the Open VSX marketplace. Unlike previous iterations, these extensions initially appear benign, remaining dormant to evade detection. They are now engineered as thin loaders with the capability to fetch and execute secondary malicious payloads at a later date. This tactical shift makes the malware more evasive and resilient, as the primary malicious logic is not present upon initial installation, posing a severe threat to developers and the software supply chain. This evolution makes detection harder and allows attackers to change payloads dynamically.

Update Sources:
darkreading.comFresh Wave of GlassWorm VS Code Extensions Slices Through Supply Chain

Sources & References(when first published)

Cybersecurity News - Western Illinois University
wiu.eduApril 10, 2026
Top 5 Cybersecurity News Stories April 10, 2026
diesec.comApril 10, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

DeveloperGlassWormIDEMalwareOpen VSXSupply Chain AttackZig

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.