All case studies
Security12 minJune 2026

Understanding & Removing theGit Config Injection Worm

How a self-propagating Git worm spreads across local project folders — detection, removal, and a Windows-first playbook.

By Sharon Rosario · June 2026

Malware AnalysisGitWindowsDevSecOps
Published
June 2026
Campaign
Git config injection worm
Scope
46 repos audited
Outcome
Removed & hardened
Platform
Windows (scripts included)

Overview

What this case study covers

A structured guide to understanding, detecting, and removing a self-propagating Git worm — a technical reference you can act on.

This documents a developer-targeted Git worm that spreads across local project folders on a shared machine. In this case, infection reached my environment from a colleague's PC — the worm scans parent and sibling directories, injects into config files, and pushes backdated commits to remote repos.

It combines VS Code auto-task exploitation, config file injection (hidden off-screen), and Git commit date spoofing — techniques that are individually known but dangerous together.

The goal: explain exactly how the worm operates, provide concrete indicators of compromise (IoCs), and share a removal playbook (including audit scripts) tested on Windows across 46 repositories.

Key takeaway

"Understanding the attack chain turns an invisible threat into something you can scan for in five minutes."

The Threat

Built for developer workflows

Generic antivirus will not catch this. The worm is designed around open folder in VS Code → scan nearby projects → inject → push to GitHub.

This is a self-propagating worm aimed at Node.js / JavaScript project layouts. Once active on a machine, it doesn't need you to clone anything new — it moves laterally across folders on the same filesystem (parent and sibling directories).

The payload activates when an infected project folder is opened in VS Code, then:

→ Scans nearby directories for other local projects → Injects obfuscated payloads into config files → Steals credentials and downloads auxiliary scripts → Silently commits infected files back to remote repos with backdated timestamps (1 year in the past)

On GitHub, those commits never appear under "Recent" — they're sorted by commit date, not push date.

Others in the community have reported the same obfuscation patterns in config files — see References below.

Shared machines & nearby folders

If a teammate machine is infected, the worm can reach your repos through sibling-directory scanning on a shared drive or synced workspace.

Attack Chain

Three phases — folder open to remote infection

Each phase is designed to stay invisible. Map these to know where to look.

Phase 1

Local activation via VS Code automatic tasks

Triggers on folder open — no manual run required

  • Sets .vscode/settings.json → "task.allowAutomaticTasks": true
  • Registers .vscode/tasks.json with "runOn": "folderOpen" executing node ./public/fonts/fa-solid-400.woff2
  • The .woff2 file is a renamed, obfuscated Node.js dropper — not a font

Malicious VS Code setting

{
  "task.allowAutomaticTasks": true
}
Phase 2

Configuration injection & visual obfuscation

Hidden off-screen with hundreds of leading spaces

  • Scans for postcss.config.js, eslint.config.js, tailwind.config.js, vite.config.js, app.json
  • Appends obfuscated JavaScript to the end of each file
  • Prepends hundreds of spaces — invisible when word wrap is off

Injection signature (truncated)

global['!']='8-3997-1';var _$_1e42=(function...
Phase 3

Git history spoofing & stealth propagation

Infected commits exist on GitHub — buried in old history

  • Creates commits with infected config files programmatically
  • Spoofs GIT_AUTHOR_DATE and GIT_COMMITTER_DATE to 1 year ago
  • GitHub UI hides them from "Recent Commits"
  • Adds push scripts to .gitignore so they never appear in git status

Key takeaway

"No npm script or terminal command needed — opening the project in VS Code is the trigger."

Detection

Indicators of compromise

Run through this list on any machine where Node projects live — especially if someone else on the same system may have opened an infected folder.

File paths & triggers

  • .vscode/tasks.json

    "runOn": "folderOpen" executing a script on load

  • fa-solid-400.woff2 / fa-regular-400.woff2

    Font paths containing obfuscated JS

  • temp_auto_push.bat / temp_interactive_push.bat

    Silent Git push scripts in repo root

  • branch_structure.json

    Local branch enumeration for propagation

  • ~/.node_modules

    Hidden dir with socket.io-client, axios

String signatures

  • global['!']

    Obfuscation entry point in config files

  • global['_V']

    Alternate obfuscation entry point

  • global['_t_t']

    Alternate obfuscation entry point

  • _$_1e42

    Hex string table obfuscation pattern (variant names exist)

  • trongrid.io

    Cryptocurrency RPC URL in payload strings

  • bsc-dataseed

    BSC RPC endpoint in payload strings

  • bsc-rpc.publicnode

    BSC RPC endpoint in payload strings

  • 166.88.54.158

    Known C2 server IP

60-second manual check

Open postcss.config.js or vite.config.js → press End → scroll right. If you see global['!'] or hundreds of spaces, stop and run the removal playbook below.

Removal Playbook

Step-by-step removal workflow

Order matters: stop execution → clean filesystem → repair Git remotes → rotate credentials. Skip a step and you risk reinfection.

Windows-first — adapt with one AI prompt

These scripts were built and tested on Windows. clean_git_malware.ps1 runs natively in PowerShell. worm-guard.sh runs via Git Bash or WSL. On macOS/Linux — or if you want a native shell script — paste either file into your preferred AI model with a single prompt: "Convert this malware cleanup script to [PowerShell/bash] for my OS, keeping the same scan logic and file signatures."

1

Disable VS Code automatic tasks

Stops the worm from re-executing every time an infected folder is opened. Set globally in User Settings — not workspace only.

VS Code User Settings

"task.allowAutomaticTasks": "off"
2

Filesystem scan & cleanup

worm-guard.sh identifies active malicious Node processes, quarantines fake font payloads, strips injected config lines, and removes .vscode auto-task configs. On Windows, run via Git Bash or WSL.

Command

bash worm-guard.sh C:/Users/you/Desktop
Download script
3

Git remote audit & restore

clean_git_malware.ps1 (PowerShell, Windows-native) fetches remote trees, signature-matches infected files, force-pushes clean states, and prunes local Git databases.

Command

powershell -ExecutionPolicy Bypass -File clean_git_malware.ps1
Download script

Then run

git gc --prune=now
4

Credential rotation

Assume all tokens are compromised once any IoC is found: GitHub PATs, SSH keys, npm tokens, .env secrets. Audit GitHub → Settings → Sessions.

Key takeaway

"Filesystem cleanup alone leaves infected commits on GitHub. Remote repair and local cleanup must happen together."

Prevention

Hardening checklist

One-time config changes and habits for any shared dev environment.

1

Disable automatic tasks globally in VS Code

"task.allowAutomaticTasks": "off" in User Settings. The worm enables it per-workspace.

2

Audit project folders before opening in an editor

Check .vscode/tasks.json and scroll to the end of root config files — especially on shared or synced drives.

3

Isolate infected machines quickly

If one dev machine on a shared workspace is compromised, assume sibling folders are in scope until scanned.

4

Rotate credentials on any positive IoC

PATs, SSH keys, npm tokens, .env files — rotate immediately, don't wait.

5

Review GitHub active sessions regularly

Settings → Sessions. Unexpected sessions mean tokens may already be exfiltrated.

Best single prevention step

Inspect .vscode/ and root config files before VS Code opens any project folder — especially on machines shared between developers.

References

Community reports & further reading

Independent write-ups from developers who hit the same obfuscation patterns in config files and Git history.

GitHub Community Discussion #188732

Obfuscated code appearing in next.config.js / postcss.config.js — malicious commit spoofing reports from multiple developers.

https://github.com/orgs/community/discussions/188732

FAQ

Frequently asked questions

Quick answers for search and AI summaries — detection, removal, and prevention at a glance.

What is the Git config injection worm?
It is a self-propagating malware that targets Node.js/JavaScript project folders. When an infected folder is opened in VS Code, it scans sibling directories, injects obfuscated payloads into config files (e.g. postcss.config.js), steals credentials, and pushes backdated Git commits so infections do not appear in recent GitHub history.
How do you detect the Git worm on Windows?
Check for VS Code automatic tasks (.vscode/tasks.json with runOn: folderOpen), hidden code at the end of postcss.config.js or next.config.js, a fake fa-solid-400.woff2 dropper in public/fonts/, and unexpected Git commits dated roughly one year in the past. Run the audit scripts linked in the case study across all local repos.
How do you remove the Git config injection worm?
Disable VS Code automatic tasks globally, delete malicious .vscode/tasks.json entries, clean injected config files, remove dropper files, rotate all credentials (PATs, SSH keys, npm tokens), audit every local repo with the provided PowerShell script, and force-push clean history or revert infected commits on remotes.
Why do Git worm commits not show in GitHub Recent activity?
The worm sets commit author dates about one year in the past. GitHub sorts commits by commit date, not push date, so malicious commits are buried in old history and easy to miss during casual review.
What is the best prevention for Git config injection malware?
Set task.allowAutomaticTasks to off in VS Code user settings, inspect .vscode/ and root config files before opening any project folder — especially on shared machines — and rotate credentials immediately if any indicator of compromise is found.
Back to all case studies