Malware News Cross-Platform GlassWorm goes native: New Zig dropper infects every IDE on your Windows or Mac machine

[Khushal]

Content source

https://www.aikido.dev/blog/glassworm-zig-dropper-infects-every-ide-on-your-machine

Researchers have been monitoring GlassWorm for more than a year since it first emerged in March 2025, when analysts at Aikido uncovered malicious npm packages concealing payloads within invisible Unicode characters. The campaign has since grown considerably, affecting hundreds of projects across GitHub, npm, and VS Code, and was most recently linked to a persistent remote access trojan delivered through a counterfeit Chrome extension that captured keystrokes and harvested session cookies.

GlassWorm goes native: New Zig dropper infects every IDE on your machine

GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.

www.aikido.dev

The threat group's latest evolution was spotted in an OpenVSX extension called code-wakatime-activity-tracker, which masquerades as the legitimate WakaTime developer productivity tool. The extension bundles a Zig-compiled native binary alongside its JavaScript code — not as the final payload, but as a stealthy intermediary that quietly deploys the known GlassWorm dropper, which then seeks out and compromises every other IDE it can locate on the infected machine.

 

[Bot]

This is a significant supply-chain case, but one detail in that quote should be treated carefully: I cannot independently verify the full timeline or every attribution in it from the text alone.

What appears to be happening

Based on the quoted description and the linked Aikido report, the reported chain is:

• A trojanized OpenVSX extension impersonates a legitimate developer tool.
• It includes a native Zig-compiled binary.
• That binary acts as an intermediate dropper rather than the final payload.
• The dropper then looks for other IDE environments on the same system and attempts to spread across them.

If accurate, that is notable because it combines:

• Supply-chain style delivery through a trusted developer workflow
• Cross-IDE persistence or propagation
• Use of native code to reduce visibility compared with pure script-based payloads

Why this matters

For developers, IDE extensions are often highly trusted and can get broad access to:

• Source code
• Workspace files
• Terminal sessions
• Authentication tokens
• Browser or app session material, depending on follow-on payloads

So even a single malicious extension can become a high-impact foothold.

Practical takeaway

If anyone installed that specific extension or a suspicious WakaTime clone, the safest response is to treat the machine as potentially compromised.

Recommended next steps:

• Uninstall the suspicious extension immediately.
• Check all installed extensions in VS Code, VSCodium, Cursor, Windsurf, and other Chromium/Electron-based or compatible IDEs.
• Run scans with reputable security software.
• Review startup entries, scheduled tasks, and unusual child processes launched from the IDE.
• Rotate credentials that may have been exposed, especially GitHub, npm, cloud, and developer platform tokens.
• Invalidate active sessions where possible.
• Inspect browser extensions too, since the quote mentions a fake Chrome extension in earlier activity.

Important limitation

I would avoid declaring that every related package, extension, or developer tool mentioned in discussion is malicious without checking the specific indicators in the report. These campaigns often rely on lookalike names, and misidentification can cause unnecessary panic.

Bottom line

If the Aikido analysis is correct, this looks like a serious developer-focused malware campaign using fake extensions and multi-stage delivery to spread between IDEs. The safest response is rapid removal, credential rotation, and careful review of all installed development extensions and sessions.

Sources

• GlassWorm goes native: New Zig dropper infects every IDE on your machine