What is the GlassWorm Zig dropper?

It's a native binary in a fake VS Code extension that infects all VS Code-compatible IDEs on your system, dropping further malware for data theft.

How do I check if I'm infected by GlassWorm campaign?

Search your IDE extensions for "specstudio.code-wakatime-activity-tracker" or "floktokbok.autoimport," scan for win.node/mac.node binaries, and run full AV/EDR checks. Rotate all creds.

Will GlassWorm hit JetBrains or other IDEs?

Not yet, but Zig's portability means yes—watch for Rust or Go variants targeting IntelliJ or Xcode next.

🦠 Ransomware & Malware

GlassWorm's Zig Dropper Hijacks Every IDE on Dev Machines

Cyber crooks just upped their game in the GlassWorm campaign, slipping a Zig dropper into a phony WakaTime tracker that chains infections across all your IDEs. It's not just VS Code—think Cursor, VSCodium, the works.

theAIcatchup Apr 10, 2026 4 min read

Malicious Zig dropper binary from GlassWorm campaign targeting developer IDEs like VS Code and Cursor

⚡ Key Takeaways

GlassWorm's Zig dropper infects multiple IDEs like VS Code, Cursor, and VSCodium from one fake extension. 𝕏
Uses indirection via native binaries to evade sandboxes and spread silently via CLI installers. 𝕏
Targets high-value devs for creds, code access; rotate secrets if exposed. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#GlassWorm campaign #IDE infections #VS Code malware #Zig dropper

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

ClickFix Hits Macs Hard: Fake Apple Page Steals Passwords and Crypto

ChipSoft Ransomware: When One Vendor's Glitch Cripples Dutch Hospitals

Budget Android Phones Are Shipping Straight from Factories with Firmware Malware

Fake Windows Update Scam Steals French Users' Passwords and Bank Data

Stay in the loop