What's Happening?
Cybersecurity researchers have identified a new evolution of the GlassWorm campaign, which uses a Zig dropper to infect integrated development environments (IDEs) on developers' machines. The campaign was discovered in an Open VSX extension named 'specstudio.code-wakatime-activity-tracker,'
which mimics WakaTime, a popular tool for tracking programming time. The extension installs a Zig-compiled binary that infects all IDEs supporting VS Code extensions, including Microsoft VS Code and its forks. The binary downloads a malicious extension from a GitHub account, which acts as a dropper to install a remote access trojan and an information-stealing Chrome extension.
Why It's Important?
This development highlights the growing threat of supply chain attacks in the software development ecosystem. By targeting IDEs, attackers can potentially gain access to sensitive code and intellectual property, posing significant risks to software companies and their clients. The use of a Zig dropper and the ability to infect multiple IDEs demonstrate the sophistication of modern cyber threats. This incident underscores the need for robust security measures and vigilance in managing software dependencies and extensions.
What's Next?
Developers who have installed the compromised extensions are advised to assume their systems are compromised and rotate all secrets. This incident may prompt a review of security practices in the software development community, including the vetting of third-party extensions and the implementation of stricter access controls. Organizations may also increase investments in cybersecurity tools and training to mitigate the risk of similar attacks in the future.
