{"id":5247,"date":"2026-04-10T18:18:01","date_gmt":"2026-04-10T18:18:01","guid":{"rendered":"https:\/\/delimiter.online\/blog\/glassworm-campaign\/"},"modified":"2026-04-10T18:18:01","modified_gmt":"2026-04-10T18:18:01","slug":"glassworm-campaign","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/glassworm-campaign\/","title":{"rendered":"GlassWorm Campaign Infects Developer IDEs with Zig Dropper"},"content":{"rendered":"<p><a href=\"https:\/\/delimiter.online\/blog\/techcrunch-disrupt-2026-13\/\" title=\"cybersecurity\">cybersecurity<\/a> researchers have identified a new phase of the ongoing GlassWorm campaign, which is now using a malicious dropper written in the Zig programming language to infect every integrated development environment (IDE) on a developer&#8217;s computer. The attack was discovered within a malicious extension for the Open VSX registry, posing as a legitimate productivity tool.<\/p>\n<h2>Attack Vector and Malicious Payload<\/h2>\n<p>The technique was found in an Open VSX extension named &#8220;specstudio.code-wakatime-activity-tracker.&#8221; This extension impersonates WakaTime, a genuine service used by developers to track coding time. Once installed in a vulnerable IDE like VSCode, the extension executes a multi-stage attack.<\/p>\n<p>The primary payload is a dropper written in Zig, a relatively new systems programming language. Security analysts note the use of Zig is notable, as it can compile to highly efficient, low-level code that is difficult for traditional security software to analyze. This dropper is designed to scan the victim&#8217;s machine for all available IDEs and systematically inject malicious code into each one.<\/p>\n<h2>Campaign Background and Attribution<\/h2>\n<p>The GlassWorm campaign, also tracked by some researchers as UNC4990, is a suspected state-sponsored espionage operation that has been active since at least 2022. Its primary targets have consistently been technology companies, with a particular focus on software developers and IT service providers in East and Southeast Asia.<\/p>\n<p>Previous iterations of the campaign have used sophisticated <a href=\"https:\/\/delimiter.online\/blog\/adobe-reader-zero-day\/\" title=\"malware\">malware<\/a> like Soul and a modified version of the open-source Merlink backdoor. The shift to a Zig-based dropper distributed via a poisoned IDE extension represents a significant evolution in the group&#8217;s tactics, techniques, and procedures (TTPs).<\/p>\n<h2>Impact and Infection Mechanism<\/h2>\n<p>The ultimate goal of the infection is to deploy a backdoor that provides attackers with persistent remote access to the compromised system. By targeting all IDEs on a machine, the attackers ensure persistence even if a developer switches between different coding environments like VSCode, JetBrains products, or others.<\/p>\n<p>The malicious extension operates by fetching additional payloads from attacker-controlled servers. These secondary payloads are responsible for the actual backdoor installation and communication with the command-and-control (C2) infrastructure. The attack chain is designed to be stealthy, avoiding common detection signatures.<\/p>\n<h2>Security Recommendations and Response<\/h2>\n<p>Security firms that discovered the campaign have notified the Open VSX registry maintainers. The malicious extension has been removed from the public repository. Developers are urged to exercise extreme caution when installing extensions, especially from third-party marketplaces.<\/p>\n<p>Experts recommend verifying the publisher of any extension, checking user reviews and download counts, and only installing tools from official sources or well-known, verified developers. Organizations should also enforce strict software procurement policies and maintain updated endpoint detection and response (EDR) solutions.<\/p>\n<h2>Future Implications and Industry Response<\/h2>\n<p>The use of the Zig language in a malicious dropper is expected to influence the broader threat landscape. Other advanced persistent threat (APT) groups often adopt successful techniques pioneered by their peers. This incident highlights the growing trend of software supply chain attacks, where trusted development tools are compromised to reach a high-value target audience.<\/p>\n<p>Security researchers anticipate continued monitoring of the Open VSX platform and similar developer tool repositories for further malicious activity. The cybersecurity community is likely to develop new detection rules and analysis techniques specifically tailored to malware written in emerging programming languages like Zig, Rust, and Go.<\/p>\n<p>Source: Multiple cybersecurity research reports<\/p>\n","protected":false},"excerpt":{"rendered":"<p>cybersecurity researchers have identified a new phase of the ongoing GlassWorm campaign, which is now using a malicious dropper written in the Zig programming language to infect every integrated development environment (IDE) on a developer&#8217;s computer. The attack was discovered within a malicious extension for the Open VSX registry, posing as a legitimate productivity tool. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5248,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[619,6259,544,909,951],"class_list":["post-5247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cybersecurity","tag-ide-security","tag-malware","tag-software-development","tag-supply-chain-attack"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/5247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=5247"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/5247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/5248"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=5247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=5247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=5247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}