DigiNews

Summary

Jamf Threat Labs reports that threat actors connected to DPRK are expanding their abuse of Visual Studio Code by leveraging tasks.json to deliver a remote backdoor on macOS. The attack chain involves cloning a malicious repo, trusting the repo in VS Code, and executing a JavaScript payload via Node.js that communicates with a C2 server. The researchers note obfuscated code, rapid beaconing, and potential AI-assisted code generation, and they emphasize defensive measures like vetting repositories and enabling threat prevention.