Small Open-Source Maintainers Targeted by VS Code Tasks Malware
ID: c3ed96ff-b3b8-53b4-b3dd-be5f2f7efc3c
STIX ID: report--c3ed96ff-b3b8-53b4-b3dd-be5f2f7efc3c
Feed Name: OpenSourceMalware Blog
Date Published: 2026-01-26
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
OpenSourceMalware reports an active campaign that has compromised 21 small open-source repositories by adding malicious .vscode/tasks.json files that auto-execute curl/wget commands on folder open to fetch platform-specific scripts; payloads observed so far are innocuous but can be swapped for credential-stealing or supply-chain malware. The post includes IOCs (vscode-extension-260120.vercel.app URLs), mitigation guidance (disable automatic tasks, review .vscode folders, use hooks), and notes similarities to DPRK/Lazarus TTPs.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
