North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running Contagious Interview operation have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code tasks.json configuration—specifically "runOn": "folderOpen"—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as BeaverTail and InvisibleFerret that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., ip-regions-check.vercel[.]app).
Separate reporting on North Korean APT trends indicates continued reliance on fraudulent IT employment schemes and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., AnyDesk, Google Remote Desktop) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Related Entities
Threat Actors
Malware
Affected Products
Sources
1 more from sources like ahnlab asec blog
Related Stories
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
1 months agoNorth Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
3 months ago
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
1 months ago