GlassWorm Leverages Zig Dropper, Marimo RCE Exploited

The GlassWorm campaign is back in the spotlight, showing a clear evolution in its toolkit. According to Cyber Threat Intelligence, this campaign is now utilizing a Zig-based dropper, cunningly disguised within a fake IDE extension. This isn’t just about dropping a payload; it’s a targeted approach to compromise developer tools and, by extension, the systems they run on. We’ve seen this play out before: threat actors going after developers to gain a foothold deeper in the supply chain. The use of Zig, a relatively modern and low-level language, is a smart move for evading traditional detections.

Beyond GlassWorm, Cyber Threat Intelligence also highlighted several other critical developments. CVE-2026-39987, a Marimo RCE, was actively exploited mere hours after its disclosure – a stark reminder that disclosure often means immediate weaponization. Furthermore, UAT-10362 is now linked to LucidRook attacks, specifically targeting institutions in Taiwan. This indicates a focused, potentially state-sponsored effort. A critical flaw in the EngageLab SDK has also been revealed, exposing private data for an estimated 50 million Android devices, and a Bitcoin Depot hack led to a hefty $3.6 million Bitcoin theft through stolen credentials.

Rounding out the intel, Cyber Threat Intelligence reported a Eurail data breach impacting nearly 309,000 individuals, an active Adobe Reader zero-day being exploited via malicious PDFs, and the Masjesu botnet actively targeting IoT devices while managing to sidestep high-profile network defenses. The alleged breach of China’s National Supercomputing Center is also raising eyebrows, signaling potential geopolitical tremors. Lastly, the continued exposure of ICS devices to the internet remains a major red flag for critical infrastructure sectors globally.