"The extension [...] ships a Zig-compiled native binary alongside its JavaScript code. This is not the first time GlassWorm has resorted to using native compiled code in extensions. However, rather than using the binary as the payload directly, it is used as a stealthy indirection for the known GlassWorm dropper, which now secretly infects all other IDEs it can find on your system."
"The newly identified Microsoft Visual Studio Code (VS Code) extension is a near replica of WakaTime, save for a change introduced in a function named 'activate()'. The extension installs a binary named 'win.node' on Windows systems and 'mac.node' on macOS."
"These Node.js native addons are compiled shared libraries that are written in Zig and load directly into Node's runtime and execute outside the JavaScript sandbox with full operating system-level access. Once loaded, the primary goal of the binary is to find every IDE on the system that supports VS Code extensions."
The GlassWorm campaign has evolved with a new Zig dropper that targets integrated development environments (IDEs) on developers' machines. A malicious Open VSX extension, disguised as WakaTime, has been identified. This extension includes a Zig-compiled binary that serves as a stealthy method to infect other IDEs. The binary, named 'win.node' or 'mac.node', executes outside the JavaScript sandbox, gaining full OS-level access. Its primary function is to locate and infect all compatible IDEs, downloading a malicious VS Code extension from an attacker-controlled GitHub account.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]