Malicious VS Code tasks.json abuse enables multi-stage infostealer deployment

ThreatLocker analyzed a malicious VS Code tasks.json that, once a project is marked trusted, downloads and executes multi-stage Node.js payloads to install a feature-rich infostealer. The payloads perform user and host enumeration, initialize an LDB component, recursively scan and exfiltrate sensitive files, continuously capture clipboard contents, and communicate with attacker infrastructure via Axios and WebSockets. The report includes SHA-256s, domains, an IP, analysis of obfuscation and anti-analysis techniques, and practical mitigation and hardening recommendations for developer environments.