GlassWorm's Evolution: Zig Droppers Targeting All IDEs via Open VSX

Just caught the latest report on the GlassWorm campaign, and it looks like they've pivoted to a pretty concerning supply chain tactic. Researchers found a new Zig-based dropper hiding inside a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker.

For those who missed it, this extension is masquerading as the legitimate WakaTime tracker. Once installed, the Zig dropper doesn't just sit there—it actively scans the machine to compromise other IDEs, not just VS Code. The use of Zig is notable here because it allows for cross-platform compilation and static binaries, helping them evade some traditional EDR heuristics that rely on specific OS dependencies.

I’ve whipped up a quick hunting query to check your endpoints for this specific malicious extension ID. Run this in PowerShell on your Windows dev workstations:

$MaliciousID = "specstudio.code-wakatime-activity-tracker"
$ExtPath = "$env:USERPROFILE\.vscode\extensions"

if (Test-Path $ExtPath) {
    Get-ChildItem -Path $ExtPath -Directory | 
    Where-Object { $_.Name -like "*$MaliciousID*" } | 
    Select-Object FullName, LastWriteTime
}


If you find it, investigate the `~/.wakatime` directory for unexpected binaries immediately.

Given the prevalence of developer-targeted malware lately (like the recent npm packages), how is everyone handling extension whitelisting? Are you blocking Open VSX entirely, or relying on strict signature policies?