How malware abuses npm lifecycle scripts and VS Code tasks
Contents
When I talk about how malware differs from vulnerabilities, a key point I hammer is that while vulnerabilities need some kind of attack path to exploit, malicious open source “can go boom without a path.” And this is critical for defenders and developers to understand because many people still assume the best practices that help us deal with CVEs will also defend against malware. That an unused dependency isn’t a threat. Reachability is not a thing for malware.
The campaigns we've been tracking at OpenSourceMalware increasingly don't work that way. Threat actors are increasingly taking advantage of two commonly used software development features: npm lifecycle scripts and VS Code's task auto-execution system.
I’m not here to say “never use those features!” Lifecycle scripts and task auto-execution are features, not vulnerabilities. They exist because developing software is genuinely complex, and automation that removes friction has real value. The npm ecosystem built a lot …
The campaigns we've been tracking at OpenSourceMalware increasingly don't work that way. Threat actors are increasingly taking advantage of two commonly used software development features: npm lifecycle scripts and VS Code's task auto-execution system.
I’m not here to say “never use those features!” Lifecycle scripts and task auto-execution are features, not vulnerabilities. They exist because developing software is genuinely complex, and automation that removes friction has real value. The npm ecosystem built a lot …