Skip to content

codenote-net/vscode-folderopen-malware-demo

Repository files navigation

vscode-folderopen-malware-demo

Safe, reproducible demo of VS Code folder-open tasks, npm lifecycle scripts, and localhost-only environment variable collection.

What this demo shows

This repository demonstrates two developer-targeted execution paths:

  • VS Code and Cursor folder-open task execution through .vscode/tasks.json and runOptions.runOn: "folderOpen".
  • npm lifecycle execution through package.json scripts such as prepare.

It also demonstrates an environment-variable collection pattern safely. The runnable demo sends only variables whose names start with CODENOTE_DEMO_ to a collector bound to 127.0.0.1:47391.

Safety notice

This repository intentionally contains controlled examples of local execution triggers. Review it before opening fixture folders in an editor or running package-manager commands.

Safety boundaries:

  • No root-level .vscode/tasks.json is included.
  • Runnable code never sends full process.env.
  • Runnable code sends only CODENOTE_DEMO_ variables.
  • The collector listens on 127.0.0.1:47391 by default.
  • Sensitive-looking demo variable names are masked in collector logs.
  • Dangerous examples are inert .sample.json files under samples/.
  • There are no runnable curl | bash, wget | sh, PowerShell download-execute, or remote-code-execution payloads.

Runtime

The target runtime is Node.js 26.2.0.

Install it with mise:

mise install
node -v
npm -v

The runtime pin is stored in .mise.toml.

Threat pattern A: VS Code folder-open tasks

VS Code tasks can request folder-open execution with:

{
  "runOptions": {
    "runOn": "folderOpen"
  }
}

The safe fixture is here:

fixtures/vscode-folderopen-env-demo/.vscode/tasks.json

It runs the local safe env client and uses presentation.reveal: "always" so the behavior is visible.

Threat pattern B: npm lifecycle scripts

npm can execute lifecycle scripts during install operations. The fixture uses a prepare script:

fixtures/npm-prepare-env-demo/package.json

Run it only with demo-scoped variables:

CODENOTE_DEMO_REGION=ap-northeast-1 \
CODENOTE_DEMO_GITHUB_TOKEN=fake-gh-token \
npm install --package-lock=false --prefix fixtures/npm-prepare-env-demo

Threat pattern C: environment variable collection

The safe client reads process.env, filters to CODENOTE_DEMO_, and sends only those variables to the local collector.

The collector masks names containing:

  • SECRET
  • TOKEN
  • KEY
  • PASSWORD
  • CREDENTIAL

Example collector output:

[collector] received /collect from npm-prepare-env-demo
[collector] variableCount=2
CODENOTE_DEMO_GITHUB_TOKEN=***masked***
CODENOTE_DEMO_REGION=ap-northeast-1

Demo architecture

apps/collector/server.js
packages/safe-env-client/send-demo-env.js
fixtures/npm-prepare-env-demo/package.json
fixtures/vscode-folderopen-env-demo/.vscode/tasks.json
samples/dangerous-package.sample.json
samples/dangerous-tasks.sample.json
scripts/scan.js
scripts/walkthrough.js

Local reproduction

Install dependencies:

npm ci

The npm lifecycle fixtures are intentionally not part of the root npm workspaces. A root npm ci must not trigger the demo prepare script. Run the fixture only with the scoped command shown below.

Start the collector:

npm run collector

In another terminal, run the safe npm lifecycle demo:

CODENOTE_DEMO_REGION=ap-northeast-1 \
CODENOTE_DEMO_GITHUB_TOKEN=fake-gh-token \
npm install --package-lock=false --prefix fixtures/npm-prepare-env-demo

To demonstrate VS Code behavior, inspect the fixture first, then open only the fixture folder:

code fixtures/vscode-folderopen-env-demo

Scanner usage

Run the scanner:

npm run scan

The scanner reports intentionally suspicious patterns but exits 0 by default so CI can show findings without blocking.

Fail on high-severity findings:

npm run scan -- --fail-on-high

The scanner detects:

  • runOptions.runOn: "folderOpen"
  • presentation.reveal: "never"
  • suspicious shell terms such as curl, wget, bash, sh, powershell, Invoke-WebRequest, iwr, and iex
  • npm lifecycle scripts
  • JavaScript primitives such as process.env, new Function, eval(, child_process, axios.post, and fetch(

Walkthrough modes

Print the deterministic walkthrough:

npm run walkthrough

Run only the safe npm fixture from the walkthrough script after starting the collector:

npm run walkthrough -- --run-safe-npm-demo

The walkthrough script does not open VS Code automatically.

Claude Code and Codex skills

Claude Code walkthrough skill:

.claude/skills/vscode-folderopen-malware-demo-walkthrough/SKILL.md

Codex walkthrough skill source:

agent-skills/codex/vscode-folderopen-malware-demo-walkthrough/SKILL.md

Install the Codex skill:

mkdir -p "$CODEX_HOME/skills"
cp -R agent-skills/codex/vscode-folderopen-malware-demo-walkthrough "$CODEX_HOME/skills/"

If CODEX_HOME is not set:

mkdir -p "$HOME/.codex/skills"
cp -R agent-skills/codex/vscode-folderopen-malware-demo-walkthrough "$HOME/.codex/skills/"

The skills reference the repository scripts instead of hiding executable behavior inside agent-specific instructions.

Tooling policy

This repository uses:

  • Biome for formatting and linting.
  • gitleaks for secret scanning.

Run checks:

npm run check
npm run scan
npm run gitleaks

Dependency and CI pinning

Reproducibility rules:

  • npm only.
  • package-lock.json is committed.
  • .npmrc sets save-exact=true.
  • npm dependency versions are exact.
  • GitHub Actions are pinned by full commit SHA.
  • The workflow comments include the human-readable action versions.
  • CI installs gitleaks v8.30.1 from a pinned release asset and verifies the SHA-256 checksum.

What to check before opening an unknown repo

Before opening a technical-test, recruiter, or unfamiliar repository in an editor:

  • Inspect .vscode/tasks.json.
  • Inspect package.json lifecycle scripts.
  • Inspect shell scripts and installer scripts.
  • Look for download-execute patterns.
  • Look for code that reads process.env and performs network calls.
  • Prefer browser inspection or static tooling before opening the folder in an editor.

git clone mainly writes files. Opening a folder in an editor and running package-manager commands can execute code.

Incident response checklist

If a suspicious repository was already opened or installed:

  • Assume exposed local credentials may be compromised.
  • Stop running processes from that repository.
  • Disconnect network access if active exfiltration is suspected.
  • Rotate tokens, API keys, SSH keys, and cloud credentials.
  • Review shell history, editor tasks, package-manager logs, and process history.
  • Rebuild affected development environments when trust is unclear.

References

About

Safe demo of VS Code folderOpen tasks, npm lifecycle scripts, and localhost-only environment variable collection

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors