Security researchers have found new instances of code repositories with malicious code in the tasks.json configuration file, set to execute automatically when the folder is opened in Visual Studio Code (VS Code).

In this case, VS Code is working as designed. The tasks.json file enables developers to integrate command-line tools with the editor, so that they can be executed using the Run Task or Run Build Task commands. There is also an option to run tasks automatically when the containing folder is opened. The tasks.json file, when specific to a repository, is located within the hidden .vscode folder.

VS Code has two protections against undesirable tasks running automatically. One is the setting Allow Automatic Tasks, which defaults to on. Second, and perhaps more, is that folders are untrusted by default, and tasks do not run in untrusted folders. Opening a folder that contains an auto-execute task triggers a prompt warning that “creating a terminal process requires executing code.”

That said, the warning dialog highlights the “trust folder and continue” option, conveying a visual message that is at odds with the text content. In addition, VS Code has an option to trust all folders within a parent folder, and if this has been checked in the past, the new sub-folder will be trusted by default.