top of page
Buscar

The Extension That Infected Them All

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 13 abr
  • 2 min de lectura

The latest evolution of the GlassWorm campaign reveals a new level of sophistication in developer-targeted attacks. By leveraging a malicious IDE extension combined with a Zig-based native dropper, attackers are no longer targeting a single application—they are compromising the entire development environment. What begins as a harmless productivity tool quickly becomes a self-propagating infection mechanism across every IDE installed on the system.


Phase 1: Deception & Delivery 


The attack starts with a malicious extension hosted on Open VSX, disguised as a legitimate productivity tool resembling WakaTime.

The extension (“specstudio.code-wakatime-activity-tracker”) appears authentic and functional, lowering suspicion among developers who rely heavily on third-party tools to enhance their workflow.


Phase 2: Execution — Escaping the Sandbox 


Once installed, the extension deploys a Zig-compiled native binary (“win.node” or “mac.node”).


Unlike standard JavaScript-based extensions, this binary operates outside the Node.js sandbox, gaining full operating system-level access. This allows it to bypass traditional security assumptions tied to extension environments.

Phase 3: Discovery & Propagation 


The binary scans the system for all IDEs compatible with VS Code extensions, including forks and AI-powered development tools.

It then downloads a second-stage malicious extension (“floktokbok.autoimport”) from attacker-controlled infrastructure and silently installs it across every detected IDE using CLI-based installation mechanisms.

This transforms the attack into a self-propagating infection across development tools.


Phase 4: Data Theft & Control 


The second-stage extension acts as a dropper and control layer:

  • Connects to attacker infrastructure via Solana-based resolution



  • Exfiltrates sensitive data from the system



  • Deploys a Remote Access Trojan (RAT)



  • Installs a malicious Chrome extension to steal browser data



This enables attackers to capture credentials, sessions, and sensitive development artifacts while maintaining persistent access.


Measures to Fend Off 


  • Remove malicious extensions immediately



  • Rotate all credentials and secrets



  • Audit all IDE installations and extensions



  • Restrict extension sources to trusted marketplaces



  • Monitor CLI-based extension installations



  • Detect abnormal cross-IDE activity



  • Implement endpoint monitoring for native binary execution


The GlassWorm campaign demonstrates a critical shift in attack strategy: targeting the developer ecosystem as a unified attack surface.


By moving laterally across IDEs instead of systems, attackers gain access to a broader set of tools, credentials, and workflows in a single operation.


This is no longer just about compromising a machine—it is about compromising how software is built.


Because when one extension can infect them all, the boundary between tools disappears—

And so does the security perimeter.



The Hacker News


 
 
 

Comentarios

bottom of page