Just yesterday, we noted the growing threat of ransomware. Now, Jamf Threat Labs is warning that North Korean threat actors are abusing Visual Studio Code task configuration files for malware delivery in a campaign aimed at macOS software developers.

It’s a classic attempt in which developers are tricked into using maliciously crafted GitHub/GitLab projects that contain malicious JavaScript code. 

“When the project is opened, Visual Studio Code prompts the user to trust the repository author,” Jamf said. “If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.”

What is this new threat?

The malware enables execution of arbitrary JavaScript code on an infected system and collects system information and the public-facing IP address. Jamf also uncovered a JavaScript-based backdoor that provides remote code execution, persistent communication with command-and-control infrastructure and system fingerprinting on macOS system; among other things, that means the malware authors can also switch the vulnerability off and on again remotely.

The bottom line, of course, is that developers must be careful what they use when building apps. “Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unfamiliar sources,” Jamf warned.

AI, the new attack surface

What’s critical about this particular attack vector is its attempt to exploit the “vibe-coding” trend. Visual Studio Code is, after all, the open source AI code editor used by developers across the planet.

This latest exploit does make me wonder if and when we’ll begin to see additional exploits built to capitalize on the latest trends in coding. To what extent can the decision-making systems within AI code companion services be tricked into connecting to malware-infested packages?

Given the growing sophistication of threat actors and the involvement of nation states in creating threats, the latest exploit makes it crystal clear that people are already looking at this. The magnitude of this threat can only grow in future as quantum computers are used to find weaknesses in AI models that can themselves be exploited to distribute malware.

AI already famously hallucinates, so weaponizing those visions is nothing other than a logical next step. “Slopsquatting,” where attackers create malicious software packages using names AI models have already hallucinated into existance, is already a thing.

What to do?

To some extent, when using AI agents to help craft code, it becomes even more important to put that code through human code review. Developers — and users — absolutely must put their code through robust security checks, particularly against rogue permissions, data sharing, or worse. AI-generated code should never be allowed to bypass established security processes.

Further out, app distribution service providers must also wake up to the need to insert additional layers of protection within automated or human-driven code review in order to protect against this kind of weaponization in vibe coding.

This could emerge as a particular threat in the current legislative environment concerning app stores. If you think about Europe, there is a danger that as new App Stores appear, not every single code review process they put in place will be capable of catching these kinds of inserted risks. Think about the complex tapestries of spoofs, infected depositories, and fake name malwares that can be created to side-step automated code verification services. 

The answer to the AI threat will be…more AI!

AI will eventually be used to combat AI. But like everything else in life, there will always be a more powerful AI waiting in the wings to take out both protagonists and open a new chapter in the fight.

Acclaimed author and enthusiastic Mac user Douglas Adams once posited that Deep Thought, the computer, told us the answer to the ultimate question of life, the universe, and everything was 42, which only made sense once the question was redefined. But in today’s era, we cannot be certain the computer did not hallucinate.

Returning to Earth with a gentle bump, Jamf’s latest security story should be seen as a warning to coders everywhere to be wary when using third-party code. Verify before you ship, because, as Adams also wrote: “A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”

 You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe.