THE ThreatsDay Bulletin this week compiles a spread of smaller signals that point to broader attack patterns, including a Codespaces RCE vector and AsyncRAT C2 activity, alongside BYOVD abuse and AI cloud intrusions.
In Codespaces, researchers disclosed three remote‑code‑execution vectors tied to VSCode configuration files: PROMPT_COMMAND in .vscode/settings[.]json, postCreateCommand in .devcontainer/devcontainer[.]json, and folderOpen auto‑run tasks in .vscode/tasks[.]json, with Microsoft describing the behaviour as by design.
On AsyncRAT, Censys reported 57 active AsyncRAT‑associated hosts exposed on the public internet as of January 2026, with hosting concentrated in APIVERSA, Contabo, and AS‑COLOCROSSING, and a distinctive self‑signed TLS certificate used to identify the server. The bulletin notes attackers increasingly rely on shared infrastructure and automation, emphasising speed between access and impact.
Taken together, these signals suggest threat actors are scaling quietly, reusing infrastructure, and streamlining playbooks to achieve quicker, more pervasive outcomes.