GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs

GlassWorm campaign distributed a malicious Zig dropper through fake VS Code extensions on Open VSX marketplace, targeting developer environments. The dropper identifies all IDEs on infected systems and deploys a second-stage extension that steals credentials and executes C2 commands via Solana blockchain. Any developer who installed 'specstudio.code-wakatime-activity-tracker' or 'floktokbok.autoimport' should be treated as compromised.

CRITICALAdvisoryApr 12, 2026

Action required

Immediately identify and isolate any developer machines with the affected extensions installed. Assume full credential compromise: force password resets for all users matching this profile, rotate API keys and secrets, and scan for lateral movement and data exfiltration in the past 90 days.

Affected products

VS CodeMicrosoftOpen VSX

Linked articles

GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs

Source links

https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html