https://threatprophet.com/tags/vs-code/Recent content in Vs-Code on ThreatProphetHugo -- 0.161.1en-usThu, 16 Apr 2026 00:00:00 +0000https://threatprophet.com/posts/2026-04-16-dlabs/Thu, 16 Apr 2026 00:00:00 +0000https://threatprophet.com/posts/2026-04-16-dlabs/A threat actor impersonating DLabs Hungary used a LinkedIn CTO recruitment lure to deliver a multi-stage Node.js credential-harvesting beacon via VS Code workspace tasks and npm lifecycle execution. The repository reuses the same core Node.js attack chain and several byte-identical artifacts seen in TP-2026-009, while later DLabs-themed variants show small file-level edits in `server.js` and `routes/api/auth.js`.