Cyber Threat Brief — April 26 2026
⚠️ This report is AI-generated. Always validate findings.
1. GlassWorm Phase 4 — 73 Open VSX Sleeper Extensions Activate
TL;DR: Socket identified 73 new GlassWorm-linked impersonation extensions on Open VSX, 6 already activated with malware using Zig-compiled native binaries that enumerate and infect every IDE on the host. This is a significant escalation from Phase 3 (March 2026, 72 extensions).
What’s New:
- 73 sleeper extensions published by single-purpose GitHub accounts (one empty repo with 8-char random name) clone popular extensions (e.g., Turkish Language Pack, WakaTime)
- 6 extensions activated — deliver malware via Zig-compiled
.nodenative addons (win.node/mac.node) that bypass JavaScript sandbox with full OS access - Dropper enumerates all VS Code-compatible IDEs (VS Code, Cursor, Windsurf, VSCodium, Positron) and force-installs malicious
.vsixfrom GitHub Releases - Solana blockchain dead-drop C2 resolver persists; Chrome extension keylogger RAT as final payload
- Geofences Russian systems (skips execution);
~/init.jsonpersistence mechanism carried over from Phase 3
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
specstudio.code-wakatime-activity-tracker | Malicious Open VSX extension | T1195.002 | IDE extension audit | Remove, treat host as compromised |
floktokbok.autoimport | Malicious secondary extension | T1195.002 | IDE extension audit | Remove if present in any IDE |
win.node / mac.node (Zig binaries in extension dir) | Native dropper | T1059 | EDR (file create, process exec) | Hunt in VS Code/Cursor/Windsurf extension dirs |
~/init.json | Persistence config | T1547 | EDR (file create) | Hunt across developer workstations |
| GitHub accounts with 1 empty 8-char repo | Staging infrastructure | T1583.001 | GitHub audit log | Correlate with extension installs |
.vsix downloads from GitHub Releases by IDE CLI | Payload delivery | T1105 | Proxy/EDR (network + CLI args) | Alert on --install-extension with GitHub Release URLs |
| Solana RPC calls from non-crypto processes | C2 dead-drop | T1102.001 | Proxy/DNS | Alert on Solana API calls from dev tools |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No coverage for malicious IDE extension installs or .node native addon execution |
| Elastic | None | No coverage for Zig binary execution from extension directories |
| Sigma | proc_creation_win_vscode_extension_sideload.yml (partial) | Covers --install-extension CLI but not native .node addon loading or cross-IDE enumeration |
Sources: Socket Research · CybersecurityNews · THN — Zig Dropper
Status Updates
- Bitwarden/TeamPCP Supply Chain (April 25): No new artifacts. @bitwarden/[email protected] deprecated, Shai-Hulud worm IOCs unchanged. Original brief.
- CVE-2024-7399 (Samsung MagicINFO 9): Active Mirai tuxnokill exploitation continues. Federal deadline May 15. Patch 21.1050.0 still incomplete — keep internet-facing instances offline. Original brief.
- CVE-2024-57726/57728 (SimpleHelp RMM): DragonForce ransomware precursor chain active. Federal deadline May 15. Upgrade to ≥5.5.8. Original brief.
- RedSun/UnDefend (Windows Defender): Still unpatched. BlueHammer (CVE-2026-33825) patched April 14 + CISA KEV April 22. Monitor
TieringEngineService.exehash changes andMsMpEng.exewriting PE/DLL under System32. Original brief. - CVE-2026-33626 (LMDeploy SSRF): Exploitation ongoing from 103.116.72[.]119. Fixed in 0.12.3. Hunt for IMDS/internal service access from VLM endpoints. Original brief.
- CVE-2026-35616 (FortiClient EMS): Full fix 7.4.7 still pending; hotfix only. No Fortinet IOCs published. Hunt for EMS process spawning cmd/PowerShell. Original brief.