North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes North Korea–linked “Contagious Interview” activity in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including BeaverTail and follow-on multi-platform backdoors/RATs), creating downstream supply-chain risk when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a deepfake job applicant and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts.
The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a malicious Open VSX extension masquerading as an Angular language tool reached thousands of downloads and was reported to steal GitHub/NPM credentials, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the Eclipse Theia website repository (CVE-2026-1699), where a pull_request_target GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad GITHUB_TOKEN permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around developer hiring workflows, developer tooling marketplaces, and CI pipelines as converging attack surfaces for credential theft and supply-chain compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
PurpleBravo campaign escalation against developers is reported
Reporting described North Korean threat group PurpleBravo as escalating the Contagious Interview campaign by targeting developers with fake LinkedIn recruiters and malicious GitHub repositories. The activity was said to have affected 3,136 IP addresses and more than 20 organizations, increasing software supply-chain risk.
Expel identifies suspected deepfake North Korean job applicant
Expel CEO Jason Rebholz described a suspected North Korea-linked fake IT worker who applied for a security researcher role and appeared in a video interview that showed signs of deepfake manipulation. Analysis by Moveris reportedly confirmed the interview video was a deepfake.
CVE-2026-1699 disclosed in Eclipse Theia GitHub Actions workflow
A code execution vulnerability in the Eclipse Theia Website repository's GitHub Actions workflow was identified and disclosed as CVE-2026-1699. The issue stemmed from use of `pull_request_target` while executing untrusted pull request code, potentially exposing secrets and enabling malicious changes to Theia assets.
Open VSX malware campaign compromises over 5,000 developer systems
The weaponized Open VSX extension remained undetected for about two weeks and reached 5,066 downloads, leading to the compromise of more than 5,000 developer workstations. The malware used Solana blockchain transaction memos for command-and-control and a Google Calendar fallback mechanism.
Malicious Open VSX extension is published
A malicious extension masquerading as "Angular Language Service" was published to the Open VSX marketplace. It bundled legitimate Angular and TypeScript components with encrypted malware aimed at stealing developer credentials, tokens, and cryptocurrency wallets.
Amazon begins blocking suspected DPRK fake IT worker applicants
Amazon said it had blocked more than 1,800 suspected North Korean employment-fraud applicants from joining its workforce since April 2024. The company also reported a quarter-over-quarter increase in DPRK-affiliated applications.
Contagious Interview campaign first observed targeting developers
A North Korea-linked campaign dubbed "Contagious Interview" was first noted in 2023, using fake recruiter personas and malicious coding tests to target software developers. The activity later became associated with malware families including BeaverTail and GolangGhost.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
North Korean PurpleBravo Targets Developers in Contagious Interview Campaign - TheCyberThrone
thecyberthrone.in
Open sourceDeepfake job seeker applied to work for an AI security firm • The Register
go.theregister.com
Open sourceCVE-2026-1699 - Eclipse Theia GitHub Actions Code Execution Vulnerability
cvefeed.io
Open sourceHackers Weaponized Open VSX Extension with Sophisticated Malware After Reaching 5066 Downloads
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Mar 21, 2026
North Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
Mar 21, 2026
DPRK-Linked Contagious Interview Campaign Stole Crypto via Fake Developer Job Tests
North Korea-linked operators tracked as **HexagonalRodent**, **Contagious Interview**, and overlaps of **Lazarus/Famous Chollima** used fake recruiter outreach on LinkedIn and sham company infrastructure to lure software and Web3 developers into opening malicious coding assessments. Researchers said the campaign delivered malware including **BeaverTail**, **InvisibleFerret**, and **OtterCookie** through backdoored GitHub repositories, rogue npm content, malicious VS Code `tasks.json` execution, and weaponized Git hooks such as `pre-commit` and `post-checkout`. The malware targeted Windows, macOS, and Linux systems, stealing browser credentials, keychains, wallet data, seed phrases, and developer secrets while maintaining persistence and remote access.
Jun 17, 2026