Friendly Faces, Malicious Moves: Inside Legitimate IDE Threats in Technical Interviews

Background: While reading an article about how threat actors abuse legitimate VS Code functionality to run malicious code on a target machine when a project is opened by the victim, I concluded that it might be possible to find a universal method that would work across all IDEs without any issues.

The way of abusing: To run any code smoothly on all operating systems, an attacker can incorporate Husky into their solution. Husky is designed to execute commands during Git hooks such as commit, branch checkout, and more. While the tool itself helps automate workflows, it can also be exploited as the core of an attack. From our experience, it’s possible to include such commands so that, for example, during a Git branch checkout, arbitrary code can be executed on a machine. This effect can be achieved if an attacker places a malicious scenario inside the .husky folder.

As a result, as shown in the screenshot, we successfully collected the information and used a LOLBin to send the data to our exfiltration server.

Protection:

• During such activities, always use sandboxed systems or disposable environments.
• Never run an IDE with SYSTEM or ROOT privileges.
• Always inspect the project for suspicious configurations, especially in hidden folders.
• Whenever possible, use online platforms for these tasks.
• Monitor DNS requests to unknown addresses, and check for the creation of malicious files using Sysmon Event ID 11.

Conclusion: Abusing automation tools like Husky highlights how even legitimate development workflows can be weaponized by attackers. Staying vigilant about your development environment, auditing project configurations, and following best security practices is essential to reducing the risk of compromise.