The GlassWorm cyber espionage campaign has shown significant technical evolution. Researchers have identified a new component that uses the Zig programming language to create a stealthier dropper. Its goal is to compromise all integrated development environments on a programmer's system. The entry vector was a malicious extension on Open VSX, impersonating the WakaTime metrics tool.
Cross-IDE Infection Technique and Use of the Zig Language 🕵️
The dropper, written in Zig, leverages this language's ability to compile to clean C code and avoid simple detections. Once executed, it scans the machine for installations of popular IDEs like VS Code, JetBrains, or Eclipse. Subsequently, it injects malicious code into the plugins or configurations of each environment to maintain persistence and steal credentials or source code. The use of Zig complicates static analysis.
Your New Productivity Plugin Comes with a Surprise Gift 🎁
Nothing like installing an extension that promises to help you measure your coding time to discover that, in reality, it's the one working harder than you. While you write lines of code, the plugin handles a parallel task: exporting your project to remote servers. It's the modern definition of teamwork, even though your teammate isn't on the payroll and has bad intentions.