Skip to main content

GlassWorm Campaign Infects Developer IDEs via Malicious Extension

Eerie laptop screen with code editor, shattered glass worm emerging.

What happens when the tools developers trust become the delivery mechanism for malware? Cybersecurity researchers have identified a fresh twist in an ongoing campaign that answers that question in stark terms: the latest GlassWorm variant seeks to live inside the very integrated development environments programmers use every day.

What researchers found

Cybersecurity researchers have flagged an evolution of the GlassWorm campaign that employs a new Zig dropper. According to the reporting, the Zig dropper is designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique was discovered embedded in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime.

Background: an ongoing campaign and a new tool

The discovery represents a development in an ongoing GlassWorm campaign. The key technical element noted by researchers is the use of a Zig dropper, a delivery mechanism highlighted for its role in this iteration of the campaign. The malicious code was delivered via a publicly available Open VSX extension that presents itself as a legitimate activity-tracking extension.

Why the finding matters

  • The campaign targets developer workstations by focusing on integrated development environments, a fact underscored by the researchers' finding that the dropper is designed to infect all IDEs on a machine.
  • The delivery mechanism leverages an Open VSX extension distributed under the name "specstudio.code-wakatime-activity-tracker," which intentionally masquerades as a known tool (WakaTime), increasing the chance of installation by unsuspecting users.
  • As an evolution of an existing campaign, the use of a Zig dropper signals a change in tooling and tactics that researchers have identified and flagged for attention.

Perspectives to consider

Technologists: The research highlights a shift in tooling at the delivery layer—specifically, the use of a Zig dropper in a malicious extension on Open VSX.

Users and developers: The discovery centers on an extension that impersonates a familiar utility, indicating that extensions and other third-party plugins remain a vector of concern.

Policymakers and defenders: The finding is presented as an evolution in an ongoing campaign, underscoring the need for continued vigilance around software repositories and extension ecosystems.

GlassWorm's latest iteration is a reminder that the boundary between development tools and attack surface is porous—when an extension can impersonate a trusted plugin and carry a dropper designed to reach every IDE on a machine, the vectors for supply-chain and workstation compromise expand. How will maintainers, repository operators, and developers respond when the very extensions meant to boost productivity become carriers for persistent threats?

https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html