GlassWorm Campaign Deploys Zig-Based Dropper to Compromise Developer IDEs

A newly identified supply-chain attack campaign dubbed GlassWorm is targeting software developers by distributing a malicious dropper written in Zig, a compiled systems language that helps the payload evade traditional detection tools tuned for C/C++ or Go binaries. The campaign targets extensions and plugins across multiple popular development environments, turning trusted IDE ecosystems into infection vectors.

The Zig dropper serves as the initial stage, establishing persistence and pulling down secondary payloads tailored to the specific IDE it finds on the compromised machine. By embedding itself within development toolchains, GlassWorm gains access to source code, credentials stored in environment files, and CI/CD pipeline configurations - high-value targets for both espionage and further supply-chain compromise.

The campaign underscores the growing trend of threat actors targeting the developer toolchain directly rather than end-user software, exploiting the implicit trust developers place in their IDE extensions and build tools.