logo

Small Open-Source Maintainers Targeted by VS Code Tasks Malware

ID: c3ed96ff-b3b8-53b4-b3dd-be5f2f7efc3c

STIX ID: report--c3ed96ff-b3b8-53b4-b3dd-be5f2f7efc3c

Feed Name: OpenSourceMalware Blog

Threat Score
75/100

Date Published: 2026-01-26

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

OpenSourceMalware reports an active campaign that has compromised 21 small open-source repositories by adding malicious .vscode/tasks.json files that auto-execute curl/wget commands on folder open to fetch platform-specific scripts; payloads observed so far are innocuous but can be swapped for credential-stealing or supply-chain malware. The post includes IOCs (vscode-extension-260120.vercel.app URLs), mitigation guidance (disable automatic tasks, review .vscode folders, use hooks), and notes similarities to DPRK/Lazarus TTPs.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.