[{"data":1,"prerenderedAt":127},["ShallowReactive",2],{"article-slug-glassworm-campaign-deploys-new-zig-dropper-to-infect-developer-ides":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":44,"mitre_techniques":45,"mitre_mitigations":65,"d3fend_countermeasures":79,"iocs":92,"cyber_observables":97,"tags":114,"extract_datetime":117,"article_type":118,"impact_scope":119,"pub_date":125,"reading_time_minutes":126,"createdAt":117,"updatedAt":117},"3d888e46-d47c-475f-8e31-78a7a9942684","glassworm-campaign-deploys-new-zig-dropper-to-infect-developer-ides","GlassWorm Campaign Evolves, Uses Zig-Based Dropper to Infect All Developer IDEs","New GlassWorm Dropper Written in Zig Targets Developer Workstations via Malicious VSX Extension","The ongoing GlassWorm cyber-espionage campaign has adopted a new, sophisticated tool: a dropper written in the Zig programming language. This new malware component was discovered hidden within a malicious Open VSX extension masquerading as a legitimate WakaTime activity tracker. The dropper's primary function is to stealthily infect all Integrated Development Environments (IDEs) installed on a compromised developer's machine. This technique allows the attackers to achieve deep, persistent access to the developer's workflow, posing a significant software supply chain risk by enabling the potential injection of malicious code into any project the developer touches.","## Executive Summary\n\nCybersecurity researchers have identified a significant evolution in the **GlassWorm** campaign, a persistent threat targeting software developers. The campaign's operators have deployed a new dropper, notable for being written in the emerging **Zig** programming language, likely to evade signature-based detection. The malware was found distributed via a malicious Open VSX extension named `specstudio.code-wakatime-activity-tracker`, which impersonates a legitimate productivity tool. The dropper's primary, and highly concerning, function is to enumerate and infect all Integrated Development Environments (IDEs) on a developer's workstation. This provides the attackers with a powerful and persistent foothold directly within the code creation process, representing a severe threat to the software supply chain.\n\n---\n\n## Threat Overview\n\n**What Happened:** The GlassWorm campaign is using a trojanized Visual Studio Code extension available on the Open VSX marketplace to trick developers into installing malware.\n\n**Attack Vector:**\n- **Distribution:** A malicious extension named `specstudio.code-wakatime-activity-tracker` that mimics the popular `WakaTime` tool.\n- **Payload:** The extension contains a dropper written in the Zig programming language.\n- **Action:** Upon execution, the dropper scans the developer's machine for all installed IDEs (e.g., Visual Studio Code, JetBrains IDEs, Eclipse) and infects them.\n\n**Threat Actor:** The activity is attributed to the operators of the **GlassWorm** campaign, a group known for targeting developers.\n\n**Impact:** By compromising the IDE itself, the attackers can:\n- Steal source code and intellectual property.\n- Inject malicious code into legitimate software projects during the build process (**[`T1195.002 - Compromise Software Supply Chain`](https://attack.mitre.org/techniques/T1195/002/)**).\n- Steal credentials, API keys, and other secrets stored or used within the IDE.\n- Maintain long-term, stealthy persistence on a high-value target's machine.\n\n---\n\n## Technical Analysis\n\nThe use of the Zig programming language is a notable feature of this campaign. As a newer, less common language, it may be used to bypass security tools that have poor support for analyzing Zig binaries. It also indicates a technically proficient adversary keeping up with modern development trends.\n\n### Tactics, Techniques, and Procedures (TTPs)\n\n1.  **Initial Access ([`T1195.001 - Compromise Software Dependencies and Directories`](https://attack.mitre.org/techniques/T1195/001/)):** The attack begins with the developer installing the malicious Open VSX extension, a form of software dependency compromise.\n2.  **Defense Evasion ([`T1140 - Deobfuscate/Decode Files or Information`](https://attack.mitre.org/techniques/T1140/)):** The dropper is likely packed or obfuscated within the extension's code.\n3.  **Discovery ([`T1082 - System Information Discovery`](https://attack.mitre.org/techniques/T1082/)):** The dropper must scan the file system and registry to find the installation paths of all other IDEs on the system.\n4.  **Persistence & Defense Evasion ([`T1137 - Office Application Startup`](https://attack.mitre.org/techniques/T1137/)):** While the technique name is specific to Office, the concept is identical. By infecting the IDEs' configuration files or plugins, the malware ensures it is executed every time the developer starts their work environment. This is a form of 'IDE Application Startup' persistence.\n\n> The choice to target *all* IDEs on a machine is a sign of a thorough and determined attacker. They are not just compromising one tool, but the developer's entire toolchain to ensure persistence even if one IDE is cleaned or uninstalled.\n\n---\n\n## Impact Assessment\n\nThe impact of compromising a developer's primary workspace is catastrophic for software supply chain security. A single compromised developer at a major software vendor, open-source project, or corporation can become a patient zero, unknowingly shipping malicious code to thousands or millions of downstream users. The business impact includes direct financial loss from theft of intellectual property, costs of responding to the incident, reputational damage, and potential liability for distributing compromised software. This attack vector is highly efficient for espionage and sabotage, making it a favored technique for advanced threat actors.\n\n---\n\n## Detection & Response\n\n**Detection:**\n- **Extension Auditing:** Security teams should audit the IDE extensions used by developers. Scrutinize extensions from non-official marketplaces or less-known publishers. **(D3FEND Technique: [`D3-SFA: System File Analysis`](https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis))**\n- **Endpoint Monitoring (EDR):** An EDR solution can detect the dropper's behavior, such as a VS Code process writing to the configuration files of a JetBrains IDE. This cross-application modification is highly anomalous and a strong indicator of compromise. **(D3FEND Technique: [`D3-PA: Process Analysis`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis))**\n- **Network Monitoring:** Monitor for unexpected outbound connections from IDE processes. A compromised IDE might try to connect to a C2 server.\n\n**Response:**\n1.  **Isolate Machine:** Immediately disconnect the compromised developer's machine from the network.\n2.  **Full Re-image:** Due to the deep level of persistence, the only safe response is to completely wipe and re-image the machine. Do not attempt to simply 'clean' the IDEs.\n3.  **Credential Rotation:** Rotate all credentials the developer has access to, including code repository access, cloud keys, and database passwords.\n4.  **Code Audit:** Conduct an emergency audit of all code committed by the developer since the suspected time of compromise.\n\n---\n\n## Mitigation\n\n1.  **Restrict Extensions:** Implement a corporate policy that only allows the installation of approved and vetted IDE extensions from official marketplaces. Use features within IDEs to enforce this policy. **(MITRE Mitigation: [`M1033 - Limit Software Installation`](https://attack.mitre.org/mitigations/M1033/))**\n2.  **Developer Security Training:** Train developers on the risks of third-party extensions and how to spot fakes (e.g., checking publisher reputation, number of downloads, reviews). **(MITRE Mitigation: [`M1017 - User Training`](https://attack.mitre.org/mitigations/M1017/))**\n3.  **Application Sandboxing:** Where possible, run IDEs in a sandboxed or virtualized environment to limit their ability to access and modify other parts of the system.\n4.  **Principle of Least Privilege:** Ensure developer accounts do not have administrative privileges on their workstations. This can prevent a malicious extension from being able to write to system-wide directories or infect other users' applications.","The GlassWorm campaign is back with a new dropper written in Zig. It's spreading via a fake VSX extension to infect ALL IDEs on a developer's machine, creating a major software supply chain risk. 👨‍💻☣️ #Malware #SupplyChainAttack #DevSecOps","The GlassWorm cyber-espionage campaign is using a new dropper written in the Zig programming language to infect all IDEs on a developer's machine, posing a severe software supply chain risk.",[13,14,15],"Malware","Supply Chain Attack","Threat Actor","high",[18,21,24,27,29],{"name":19,"type":20},"GlassWorm","threat_actor",{"name":22,"type":23},"Zig","technology",{"name":25,"type":26},"Open VSX","product",{"name":28,"type":26},"WakaTime",{"name":30,"type":23},"Integrated Development Environments (IDEs)",[],[33,39],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.wiu.edu/cbt/cybersecurity_center/cybersecurity_news.php","Cybersecurity News - Western Illinois University","2026-04-10","Western Illinois University","wiu.edu",{"url":40,"title":41,"date":36,"friendly_name":42,"website":43},"https://www.diesec.com/blog/top-5-cybersecurity-news-stories-april-10-2026","Top 5 Cybersecurity News Stories April 10, 2026","DIESEC","diesec.com",[],[46,50,54,58,62],{"id":47,"name":48,"tactic":49},"T1195.001","Compromise Software Dependencies and Directories","Initial Access",{"id":51,"name":52,"tactic":53},"T1137","Office Application Startup","Persistence",{"id":55,"name":56,"tactic":57},"T1082","System Information Discovery","Discovery",{"id":59,"name":60,"tactic":61},"T1195.002","Compromise Software Supply Chain","Impact",{"id":63,"name":64,"tactic":53},"T1547.001","Registry Run Keys / Startup Folder",[66,71,75],{"id":67,"name":68,"description":69,"domain":70},"M1033","Limit Software Installation","Enforce policies to restrict developers from installing unvetted or unauthorized IDE extensions.","enterprise",{"id":72,"name":73,"description":74,"domain":70},"M1017","User Training","Train developers on the risks of malicious extensions and how to identify them.",{"id":76,"name":77,"description":78,"domain":70},"M1040","Behavior Prevention on Endpoint","Use an EDR to detect and block anomalous behaviors, such as one application modifying another application's files.",[80,86],{"technique_id":81,"technique_name":82,"url":83,"recommendation":84,"mitre_mitigation_id":85},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","To detect the GlassWorm dropper's activity, organizations should leverage an Endpoint Detection and Response (EDR) tool capable of detailed process analysis. A specific detection rule should be created to monitor for cross-application modification behavior. For example, create a high-severity alert if a process originating from `Code.exe` (Visual Studio Code) attempts to write to or modify files in the configuration directories of other IDEs, such as `~/.config/JetBrains/` or `~/.eclipse/`. This behavior is highly irregular and a strong signal of the attack pattern described. This rule should be implemented for all developer endpoints to provide an early warning of a compromised development environment.","M1049",{"technique_id":87,"technique_name":88,"url":89,"recommendation":90,"mitre_mitigation_id":91},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting","A strong preventative control is to manage the ecosystem of IDE extensions. Organizations should treat IDE extensions as software that needs to be managed. Implement an 'allowlist' policy for extensions, where only extensions that have been vetted by the security team can be installed. This can be enforced through the IDE's own management features (e.g., VS Code's `extensions.install`, `extensions.recommendations` settings in `settings.json`). For extensions not on the allowlist, they should be denylisted or blocked from installation. This prevents developers from inadvertently installing malicious extensions like the one used by GlassWorm and significantly reduces the attack surface.","M1042",[93],{"type":94,"value":95,"description":96},"file_name","specstudio.code-wakatime-activity-tracker","Malicious Open VSX extension used to distribute the dropper.",[98,103,108],{"type":99,"value":100,"description":101,"context":102,"confidence":16},"file_path","%USERPROFILE%\\.vscode\\extensions\\","The directory where VS Code extensions are stored. The malicious extension would be found here.","File integrity monitoring, forensic analysis.",{"type":104,"value":105,"description":106,"context":107,"confidence":16},"process_name","Code.exe","A Visual Studio Code process writing to directories associated with other IDEs (e.g., JetBrains, Eclipse) is a strong indicator of this attack.","EDR logs, process monitoring.",{"type":109,"value":110,"description":111,"context":112,"confidence":113},"command_line_pattern","zig build","The presence of the Zig compiler or build tools on a developer workstation where it is not expected could be an indicator of malicious activity or preparation.","Asset inventory, EDR process monitoring.","low",[19,13,22,115,14,116,25],"IDE","Developer","2026-04-11T15:00:00.000Z","NewsArticle",{"geographic_scope":120,"industries_affected":121,"other_affected":123},"global",[122],"Technology",[124],"Software developers","2026-04-11",5,1776260628158]