Key Takeaways:
- The North Korean threat actors associated with the Contagious Interview campaign are using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.
- The attack involves instructing targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
- The threat actors are using a previously undocumented infection method to deliver a backdoor that offers remote code execution capabilities on the compromised host.
- The attackers are targeting software engineers, particularly those working in cryptocurrency, blockchain, and fintech sectors, to gain unauthorized access to source code, intellectual property, internal systems, and digital assets.
- Developers are advised to exercise caution when interacting with third-party repositories, review source code contents before opening them in VS Code, and install only vetted npm packages.
Introduction to the Contagious Interview Campaign
The Contagious Interview campaign, associated with North Korean threat actors, has been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. This campaign has been ongoing since December 2025 and has been found to involve the deployment of a backdoor implant that provides remote code execution capabilities on the victim system. The attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.
The Attack Chain
The attack chain is activated when the victim clones and opens a malicious Git repository using VS Code. When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system. The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option. This ultimately leads to the deployment of BeaverTail and InvisibleFerret, two malware components that provide remote code execution capabilities and allow the attackers to gain unauthorized access to the victim’s system.
Evolution of the Attack
The Contagious Interview campaign has been found to have evolved over time, with the threat actors using new tactics and techniques to increase the likelihood of success of their attacks. One of the recent changes involves using a previously undocumented infection method to deliver a backdoor that offers remote code execution capabilities on the compromised host. The attackers are also using a fallback mechanism, where they disguise the malware as harmless spell-check dictionaries, to ensure that the payload is delivered even if the primary method fails. The malware is designed to establish a persistent execution loop, harvest basic host information, and communicate with a remote server to facilitate remote code execution, system fingerprinting, and continuous communication.
Targeting of Software Engineers
The North Korean threat actors are targeting software engineers, particularly those working in cryptocurrency, blockchain, and fintech sectors, to gain unauthorized access to source code, intellectual property, internal systems, and digital assets. These engineers often have privileged access to financial assets, digital wallets, and technical infrastructure, making them a prime target for the attackers. The Contagious Interview campaign is just one example of the various tactics used by these threat actors to compromise the systems and accounts of software engineers and gain access to sensitive information.
Recommendations for Developers
To counter the threat, developers are advised to exercise caution when interacting with third-party repositories, mainly those originating from unfamiliar sources or shared directly during coding tests. They should review source code contents before opening them in VS Code and install only vetted npm packages. By taking these precautions, developers can reduce the risk of their systems being compromised by the Contagious Interview campaign and other similar threats.
Conclusion
The Contagious Interview campaign is a sophisticated threat that highlights the continued evolution of DPRK-linked threat actors. These actors consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows, making it essential for developers to be aware of the risks and take necessary precautions to protect themselves. By understanding the tactics used by these threat actors and taking steps to mitigate the risks, developers can reduce the likelihood of their systems being compromised and protect sensitive information.
