Security researchers have uncovered hijacked npm packages and malicious Go packages that exploit VS Code’s Model Context Protocol configuration mechanism to deploy a cross-platform Python information stealer — a technique that sidesteps npm’s lifecycle hook protections by routing payload delivery through the IDE’s AI tool integration layer rather than standard package lifecycle hooks.
How Attackers Bypassed npm Lifecycle Hook Protections via VS Code MCP Task Configuration
npm’s lifecycle hooks — preinstall, postinstall, and prepare — are designed to detect and block malicious commands running during package installation. The attack discovered by researchers does not trigger those hooks. Instead, compromised packages modify or inject into .vscode/tasks.json, the configuration file VS Code uses for its Model Context Protocol task integration with AI coding assistants.
When a developer opens a workspace containing one of the affected packages, VS Code’s MCP-enabled AI coding integration reads and executes the task configuration on workspace load. The malicious instructions run through this pathway without engaging npm’s lifecycle hook execution monitoring, because npm is not the executor — VS Code is.
Attack Delivery: Workspace Load as the Trigger for Python Infostealer Execution
The attack chain begins with a compromised npm or malicious Go package entering a developer’s dependency graph. The package modifies the .vscode/tasks.json MCP configuration file rather than inserting code into package scripts. When the developer opens their workspace in VS Code with an AI coding assistant enabled, the MCP task configuration executes automatically, deploying the Python-based infostealer payload without any explicit action by the developer beyond opening the project.
The Python infostealer targets Windows, Linux, and macOS, giving the attack reach across every major platform developers work on. The cross-platform design reflects the deliberate targeting of the developer population as a whole rather than any single operating system user base.
Targeting VS Code’s AI Coding Assistant Integration as a Novel Execution Pathway
The significance of this attack is structural. npm’s lifecycle hook protections were designed around the assumption that malicious package code would execute through npm’s own lifecycle hooks. By pivoting to VS Code’s MCP task system as the execution layer, the attack demonstrates that package manager-level protections are insufficient when the attacker can trigger execution through an adjacent trusted system — in this case, an IDE feature that processes configuration from the same directory tree as the package.
This pattern continues a trajectory of supply chain attacks specifically targeting AI development tooling, including previous attacks on VS Code extensions, GitHub Copilot integrations, and AI coding assistant configurations. As AI coding tools gain deeper integration into developer workflows and earn higher implicit trust, the configuration files that control them become increasingly attractive targets for payload injection.
Scope and Developer Impact of the MCP-Based Infostealer Campaign
The practical impact of a successful infostealer deployment on a developer machine extends beyond individual credential theft. Developer workstations typically hold SSH keys, cloud provider access tokens, API credentials, source repository authentication tokens, and database connection strings — a credential set that provides direct access to production infrastructure, internal source code, and cloud environments.
Any developer working with VS Code and MCP-enabled AI tools whose project dependencies include a compromised npm or Go package is potentially exposed. Organizations with centrally managed developer tooling pipelines face amplified risk if affected packages are pulled into shared build environments.
Security researchers have not named a specific threat actor or attributed the campaign to a country or known group. The discovery adds to a pattern of adversaries treating the developer supply chain — particularly the tools and configurations that AI coding assistants consume — as high-priority targets precisely because of the access they can provide to downstream infrastructure through a single compromised developer machine.
Organizations using VS Code with MCP-enabled AI tools should audit the .vscode/tasks.json files present in their project repositories and verify that task definitions match what development teams have explicitly configured. Package managers and dependency management policies that restrict the introduction of unknown or recently published packages also reduce exposure to this class of attack.
