Malicious OpenVSX Extension Delivers GlassWorm To VS Code, Cursor, and Windsurf Users

The GlassWorm hackers have gotten even better at what they do This article explores glassworm hackers gotten. . This attack is aimed at people who use popular development tools like VS Code, Cursor, and Windsurf.

The attackers use trojanized extensions like code-wakatime-activity-tracker to get out of the sandbox and into the systems of their victims. If you see specstudio/code-wakatime-activity.tracker or floktokbok in your list of extensions, your system has been hacked. Change any passwords that were exposed right away. If a developer uses one of these editors but has VS Code running in the background, the malware will get into both.

It spreads to many development environments by looking for IDEs that work with it, like Visual Studio Code and VS Code Insiders. It also talks to a command-and-control server based on the Solana blockchain and drops a persistent RAT that can steal session cookies and keystrokes.

After the file is downloaded, it is deleted to hide its tracks. Aikido research shows that this second extension is the GlassWorm dropper, which targets systems outside of Russia and uses a malicious OpenVSX extension to install a persistent Remote Access Trojan (RAT). This file is a copy of steoatesautoimport, which is a popular VS Code extension.

Malicious OpenVSX Extension Delivers GlassWorm To VS Code, Cursor, and Windsurf Users

Malicious OpenVSX Extension Delivers GlassWorm To VS Code, Cursor, and Windsurf Users

Trending News

Your Next Breach Will Look Like Business as Usual

Your Next Breach Will Look Like Business as Usual

Ransomware Groups Increasingly Turn to EDR Killers Outside Vulnerable Driver Tactics

Ransomware Groups Increasingly Turn to EDR Killers Outside Vulnerable Driver Tactics

ProSpy Spyware Spread Through Fake Messaging Apps In Middle East Campaign

ProSpy Spyware Spread Through Fake Messaging Apps In Middle East Campaign

Malicious OpenVSX Extension Delivers GlassWorm To VS Code, Cursor, and Windsurf Users

Malicious OpenVSX Extension Delivers GlassWorm To VS Code, Cursor, and Windsurf Users

Industrial Controllers Still Vulnerable As Conflicts Move to Cyber

Industrial Controllers Still Vulnerable As Conflicts Move to Cyber

Gmail with end-to-end encryption is now available on Android and iPhone.

Gmail with end-to-end encryption is now available on Android and iPhone.

CPUID Breach Sends STX RAT Through Trojanized Downloads of CPU-Z and HWMonitor

CPUID Breach Sends STX RAT Through Trojanized Downloads of CPU-Z and HWMonitor

Adobe Patches Exploited CVE-2026-34621, a Flaw in Acrobat Reader

Adobe Patches Exploited CVE-2026-34621, a Flaw in Acrobat Reader

Top Node.js Maintainers Targeted in Sophisticated Social Engineering Scheme

Top Node.js Maintainers Targeted in Sophisticated Social Engineering Scheme

Threat Actors Abuse Claude Code Leak In GitHub Malware Campaign

Threat Actors Abuse Claude Code Leak In GitHub Malware Campaign