I’m investigating malicious code that appeared across three separate JavaScript git repositories in my VS Code workspace. The unusual aspect is that git blame attributes all injected lines to my own account — they appear inside commits I made, alongside legitimate code I did write / generated by copilot. I’m trying to determine the injection mechanism.
Infected tailwind.config.js
/** @type {import('tailwindcss').Config} */
module.exports = {
content: ["./src/**/*.{jsx,js,ts,tsx}"],
theme: {
extend: {},
},
plugins: [],
}; global['_V']='8-st20'... // malicious code
Three repos, same VS Code workspace, sequential infection:
Project A (Node.js backend): malicious code appeared in routes.js
Project B (frontend): appeared in tailwind.config.js about 1 month later
Project C (frontend): appeared in tailwind.config.js around the same time as B
In each case, the injected code was bundled inside a real commit — not a standalone suspicious commit, but mixed in with legitimate changes I was making at the time.
The malicious code makes outbound calls to api.trongrid.io (TRON blockchain API) and dynamically executes a decoded payload — effectively a blockchain-backed C2 channel. Not relevant, but for context.
Is there a way to reconstruct whether a file was modified between git add and git commit?
Are there known cases of malware using git hooks to inject code across a developer’s local repositories?
Are there other local injection mechanisms besides global git hooks that could explain code appearing under my identity across multiple repos?
What I’ve already ruled out
-
External contributor / malicious PR — all commits are attributed to
my account only -
Project scaffolding — projects are too old for this timeline
-
Known supply chain vulnerabilities — checked axios (March ’26), not
present -
Postinstall scripts modifying files — reviewed all package.json files
in dependency trees, nothing found writing to project-level config
files
