DEVSPOPPER

These repositories look like legitimate projects but carry hidden malicious code that runs the moment the developer opens the folder.

The first abuses Visual Studio Code workspace files, specifically a hidden file called .vscode/tasks.json, configured to run automatically when the developer opens the project folder. When the developer accepts the workspace trust prompt, the malicious task executes without further interaction, fetching a backdoor from a remote URL or launching a disguised file inside the repository carrying the payload.

The first abuses Visual Studio Code workspace files, specifically a hidden file called .vscode/tasks.json, configured to run automatically when the developer opens the project folder. When the developer accepts the workspace trust prompt, the malicious task executes without further interaction, fetching a backdoor from a remote URL or launching a disguised file inside the repository carrying the payload.

The RAT detects and avoids CI/CD environments and cloud sandboxes, running only on real developer workstations, so automated pipeline scanning will miss it.

The RAT detects and avoids CI/CD environments and cloud sandboxes, running only on real developer workstations, so automated pipeline scanning will miss it.

It connects to a command-and-control server via WebSocket and uses HTTP for file exfiltration.

The delivered payload is a variant of the DEVSPOPPER remote access trojan, a cross-platform Node.js-based tool.

It connects to a command-and-control server via WebSocket and uses HTTP for file exfiltration.