Security researchers at JFrog and Nextron Research have uncovered a supply chain campaign that weaponizes VS Code's workspace task runner to bypass npm's lifecycle script security controls. At least 18 poisoned packages — spanning npm and Go — were observed delivering a Python infostealer capable of exfiltrating credentials, crypto wallets, and cloud storage tokens across Windows, Linux, and macOS.
The Novel Bypass Technique
npm v12 introduced hardened restrictions on lifecycle scripts (preinstall, postinstall, install) that had long been abused for malicious code execution during package installation. This campaign sidesteps that defence entirely by embedding malware in a .vscode/tasks.json file that declares an auto-run task.
When a developer opens the compromised project folder in VS Code, the editor automatically executes the declared task — no npm install step required, and no lifecycle hook policy blocks it.
VS Code v1.109 (January 2026) introduced "task.allowAutomaticTasks": "off" as a default setting to address this attack class, and v1.110 (February 2026) added a secondary prompt warning when auto-run tasks are detected in newly opened workspaces. Older VS Code installations remain fully exposed.
Affected Packages
JFrog identified two malicious npm packages uploaded on May 25, 2026 (since removed from the registry):
html-to-gutenbergv4.2.11fetch-page-assetsv1.2.9
Nextron Research independently identified 16 additional Go packages where attackers had injected malware into the latest release of otherwise-legitimate modules.
Attack Chain
Once the VS Code task fires, the malware executes the following sequence:
- Blockchain dead-drop C2: Retrieves encrypted JavaScript payload from a blockchain transaction — a technique that makes the C2 channel difficult to block via domain or IP filtering.
- Socket.io backdoor: Establishes a persistent reverse channel to attacker infrastructure.
- Python infostealer download and execution: Fetches and runs the main stealer payload.
The Python stealer optionally exfiltrates stolen data both to the C2 server and to a Telegram bot channel.
What the Infostealer Targets
The payload is comprehensive in scope:
- Browser credentials: Chromium and Firefox saved passwords, cookies, and session tokens
- Password managers: Vault data from popular cross-platform managers
- Authenticator apps: TOTP seed exports where accessible
- Crypto wallets: Browser extension wallets and desktop wallet files
- Developer credentials: Git config (username/email/tokens), GitHub CLI (
~/.config/gh), GitHub Desktop session tokens - VS Code artifacts: Global storage, settings sync tokens, extension authentication
- OS credential stores: Windows Credential Manager, Linux Secret Service (libsecret/GNOME Keyring), macOS Keychain
- Cloud storage metadata: Dropbox, Google Drive, OneDrive, iCloud, Box, Mega, pCloud — OAuth tokens and sync configs
All harvested data is ZIPped and exfiltrated before the process cleans up after itself.
Who Is at Risk
Any developer who:
- Clones or opens an affected package's repository directly in VS Code (rather than consuming it as a dependency)
- Runs a VS Code version older than 1.109
- Has
"task.allowAutomaticTasks"set to anything other than"off"
The attack is particularly dangerous in CI/CD pipelines where repositories are checked out and opened programmatically, and in monorepo setups where a compromised transitive dependency's source tree might be present.
Recommended Actions
- Update VS Code to at least v1.109 and verify
"task.allowAutomaticTasks"is set to"off"in your user settings. - Audit
.vscode/tasks.jsonfiles in any repository you didn't author — look for tasks with"runOn": "folderOpen"or shell commands that fetch and execute remote content. - Scan Go modules with tools like
govulncheckor Nextron's findings list for affected module paths. - Check for Compromise: If you opened an affected package before the removal date (May 25, 2026 onward), rotate all developer credentials, git tokens, crypto wallet keys, and browser session cookies immediately.
- Restrict npm registry access in CI: use lockfiles, integrity hashes, and private mirrors that snapshot approved versions.