DPRK-Linked Contagious Interview Campaign Stole Crypto via Fake Developer Job Tests
North Korea-linked operators tracked as HexagonalRodent, Contagious Interview, and overlaps of Lazarus/Famous Chollima used fake recruiter outreach on LinkedIn and sham company infrastructure to lure software and Web3 developers into opening malicious coding assessments. Researchers said the campaign delivered malware including BeaverTail, InvisibleFerret, and OtterCookie through backdoored GitHub repositories, rogue npm content, malicious VS Code tasks.json execution, and weaponized Git hooks such as pre-commit and post-checkout. The malware targeted Windows, macOS, and Linux systems, stealing browser credentials, keychains, wallet data, seed phrases, and developer secrets while maintaining persistence and remote access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Developer spots malicious npm hook in fake recruiter coding test
On 2026-06-16, Python developer Roman Imankulov reported a suspected social-engineering supply-chain attack in which a fake recruiter sent him a malicious Node.js repository during a hiring process. He identified a backdoor in app/test/index.js and an npm prepare post-install hook that would execute attacker-controlled payloads during npm install, avoiding compromise by analyzing the code in an isolated environment.
Kmsec reports DPRK job-advert lures hosted on Google Docs
On 2026-06-11, a Kmsec article highlighted North Korea-linked job advertisement activity using Google Docs, associated in the reference with the Famous Chollima cluster. The reporting points to a new lure or delivery mechanism within the broader recruiter-themed campaign targeting developers.
TrendAI reports Cython-compiled InvisibleFerret variants
On 2026-05-28, TrendAI Research reported that the DPRK-aligned Void Dokkaebi/Famous Chollima cluster had evolved InvisibleFerret from readable Python into Cython-compiled native binaries delivered as .pyd and .so files. The report said the campaign still used fake job interview lures and BeaverTail staging while adding techniques to hinder detection and analysis.
Developer says they were likely targeted in DPRK malware campaign
On 2026-05-27, a developer posted that they were likely targeted by North Korea in a sophisticated malware campaign aimed at developers, explicitly referencing Contagious Interview and VS Code themes.
Red Asgard analyzes OtterCookie as a live-surveillance implant
On 2026-05-16, Red Asgard published technical analysis separating OtterCookie from BeaverTail and InvisibleFerret, describing it as a JavaScript/Node.js RAT using Socket.IO for persistent command-and-control and continuous collection from active developer workstations. The analysis also linked delivery to malicious npm packages and Vercel-hosted staging infrastructure.
Researchers report malicious Git hooks in coding-test repositories
On 2026-05-12, researchers reported that Lazarus-linked actors were using malicious Git hooks in fake coding-test repositories so that commits or branch switches would trigger platform-specific malware delivery. The activity was tied to the Contagious Interview campaign and associated with BeaverTail and InvisibleFerret.
NitroGem analysis reveals npm-install trojan using Google Docs C2
On 2026-05-08, a GitHub Gist analysis documented NitroGem, a malicious GitHub repository disguised as a React/Web3 dApp used in fake job-interview workflows to target developers. The trojan executed during npm install via a prepare script, fetched a public Google Doc to derive its C2 URL, exfiltrated the victim's process.env, and ran attacker-supplied JavaScript for remote code execution.
Developer reports sophisticated fake-job malware incident
On 2026-04-23, reporting detailed how Serbia-based developer Boris Vujičić was lured through LinkedIn and realistic interviews into running a malicious coding test on macOS, after which attackers exfiltrated Chrome passwords, Keychain data, and MetaMask wallet information within 56 seconds. Incident responders at zeroShadow assessed that North Korean government-linked actors were likely responsible.
HexagonalRodent compromises fast-draft VSX extension
In early 2026, the HexagonalRodent subgroup expanded beyond fake coding tests into at least one supply-chain compromise by tampering with the fast-draft VSX extension to distribute OtterCookie.
HexagonalRodent steals crypto from developer victims in Q1 2026
During the first three months of 2026, Expel assessed that the DPRK-linked HexagonalRodent operation exfiltrated 26,584 cryptocurrency wallets from 2,726 infected developer systems, with exposed wallets tied to up to $12 million in crypto assets. The campaign targeted Web3 developers with fake job offers and backdoored coding assessments using BeaverTail, OtterCookie, and InvisibleFerret.
Expel publishes AI-assisted HexagonalRodent investigation
On 2026-04-22, Expel published findings on HexagonalRodent, describing a DPRK-linked operation targeting Web3 developers with fake job offers, BeaverTail, OtterCookie, and InvisibleFerret, and extensive use of generative AI for malware development, phishing infrastructure, and evasion testing. Expel also said it uncovered internal panels and workflows indicating a multi-team operation.
Fake Font variant abuses VS Code projects to infect developers
On 2026-01-27, researchers described a North Korea-linked 'Fake Font' campaign in which fake recruiters sent developers to GitHub projects containing malicious VS Code tasks and JavaScript disguised as font files, leading to InvisibleFerret infections across Windows, macOS, and Linux.
Researchers document OtterCookie malware in Contagious Interview
By early 2025, reporting identified OtterCookie as a new malware family used in the Contagious Interview operation alongside BeaverTail and InvisibleFerret, expanding the campaign's tooling against developer targets.
Unit 42 links Contagious Interview to DPRK recruiter-themed malware campaign
On 2023-11-22, Palo Alto Networks Unit 42 reported that North Korean threat actors were running the Contagious Interview campaign, impersonating recruiters to infect software developers with BeaverTail and InvisibleFerret malware via fake job interview lures and rogue GitHub/npm content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
26 references tracked. Mallory keeps watching after this page renders.
Python dev saved from disaster by intuition... and AI
theregister.com
Open sourcePython dev saved from disaster by intuition...and AI
theregister.com
Open sourceA backdoor in a LinkedIn job offer - Roman Imankulov
roman.pt
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceContagious Interviewが使用する新たなマルウェアOtterCookieについて | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社
jp.security.ntt
Open source北からのジョブオファー: ソフトウェア開発者を狙うContagious Interview - セキュリティ研究センターブログ
archive.ph
Open sourceAPT Lazarus: Eager Crypto Beavers, Video calls and Games | Group-IB Blog
archive.ph
Open sourceNorth Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
Mar 21, 2026
North Korean Contagious Interview Campaign Uses JSON Services for Malware Delivery
North Korean threat actors associated with the Contagious Interview campaign have adopted new tactics by leveraging JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and deliver malware. These actors approach software developers, particularly those in cryptocurrency and Web3 sectors, via professional networking platforms like LinkedIn, posing as recruiters or collaborators. Victims are lured into downloading trojanized code projects from platforms like GitHub or GitLab, which contain hidden links to malicious payloads stored in JSON services. The initial payload, often disguised as an API key, leads to the download of JavaScript malware such as BeaverTail, which can harvest sensitive data and deploy additional backdoors like InvisibleFerret. The campaign's modular approach allows for further payloads, including TsunamiKit, to be fetched from external sources like Pastebin or .onion addresses. The malware toolkit is capable of system fingerprinting, data collection, and persistent access, with some payloads specifically targeting multiple operating systems including Windows, Linux, and macOS. The Contagious Interview campaign remains focused on financial gain for the DPRK regime and demonstrates ongoing evolution in its social engineering and malware delivery techniques, as highlighted by recent research from NVISO and corroborated by other security firms.
Apr 30, 2026
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Mar 21, 2026