North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running Contagious Interview operation have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code tasks.json configuration—specifically "runOn": "folderOpen"—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as BeaverTail and InvisibleFerret that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., ip-regions-check.vercel[.]app).
Separate reporting on North Korean APT trends indicates continued reliance on fraudulent IT employment schemes and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., AnyDesk, Google Remote Desktop) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Timeline
Jan 21, 2026
Recorded Future exposed PurpleBravo victim and infrastructure scope
Recorded Future's Insikt Group published findings tying the PurpleBravo cluster to 3,136 likely target IPs, 20 potential victim organizations, LinkedIn recruiter personas, and separate C2 infrastructure for BeaverTail and GolangGhost. The report also noted operational overlaps with the North Korean IT-worker fraud campaign known as Wagemole/PurpleDelta.
Jan 20, 2026
Jamf disclosed new VS Code and npm infection methods
In January 2026, Jamf Threat Labs reported that the Contagious Interview campaign had evolved to abuse VS Code repository trust and task configuration files to trigger malicious commands, including a previously unseen JavaScript backdoor on macOS. Jamf also identified a new Node.js ecosystem infection method in which malicious code executes during a standard npm install.
Jan 18, 2026
ASEC summarized December 2025 DPRK APT trends
AhnLab ASEC published a trend report consolidating North Korea-aligned activity observed in December 2025, including Famous Chollima fake IT worker operations and Lazarus malware delivery via a WinRAR exploit. The report highlighted a broader shift toward combining social engineering, remote-work abuse, and software exploitation.
Dec 1, 2025
Jamf first observed VS Code task abuse in Contagious Interview
Jamf Threat Labs first noted in December 2025 that DPRK-linked attackers were abusing Visual Studio Code tasks.json files with the runOn: folderOpen setting to execute code when a victim opened a cloned repository. The technique delivered malware including BeaverTail and InvisibleFerret through job-assessment lures.
Dec 1, 2025
Lazarus used Pharos.rar to exploit WinRAR flaw CVE-2025-8088
Lazarus Group distributed a malicious archive named Pharos.rar that exploited WinRAR path traversal vulnerability CVE-2025-8088 to place a BAT file in the Startup folder. The infection chain deployed a multi-stage Python loader leading to the Blank Grabber infostealer, using Dropbox, Pastebin, and Telegram in the process.
Jan 1, 2025
Jasper Sleet linked to PiKVM-based fake IT worker operation
Microsoft Incident Response (DART) linked a Famous Chollima case using PiKVM hardware-based remote control to the Jasper Sleet threat cluster. The technique was used to bypass endpoint detection and response controls while maintaining remote access.
Jan 1, 2025
Famous Chollima expanded fake IT worker intrusions via hiring platforms
During 2025, North Korea-aligned Famous Chollima used fake IT worker schemes, identity theft, GitHub pull-request outreach, VPNs, and remote desktop tools such as AnyDesk and Google Remote Desktop to obtain and maintain covert access to corporate environments. The activity also involved soliciting victims' personal identity information.
Aug 1, 2024
PurpleBravo infrastructure targeted thousands of IPs worldwide
Recorded Future assessed the North Korea-linked PurpleBravo/Contagious Interview cluster targeted 3,136 IP addresses and 20 potential victim organizations across multiple sectors and regions. The activity primarily affected targets in South Asia and North America between August 2024 and September 2025.
Dec 1, 2023
Contagious Interview campaign active against developers and IT professionals
North Korea-linked operators behind the Contagious Interview campaign were active by late 2023, using fake job and interview lures to target developers and IT workers, especially in blockchain and cryptocurrency. The campaign supported espionage, credential theft, initial access, and financially motivated activity.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
2 more from sources like the hacker news and ahnlab asec blog
Related Stories
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
1 months ago
North Korean Recruiter Scam Delivers BeaverTail and InvisibleFerret Malware
North Korean threat actors have been linked to **Operation Contagious Interview**, a campaign that impersonates job recruiters to target software developers with malware-laced interview workflows. Palo Alto Networks Unit 42 said the operation uses fake hiring outreach, GitHub-hosted projects, and rogue `npm` packages to deliver **BeaverTail** and **InvisibleFerret**, two cross-platform malware families aimed at stealing data and establishing persistent access. BeaverTail acts as both an infostealer and loader, while InvisibleFerret is a Python backdoor capable of host fingerprinting, remote control, keylogging, data exfiltration, and deploying remote administration tools such as AnyDesk. The activity has been tracked as a distinct North Korean subgroup under the **Contagious Interview** name, although researchers noted tactical overlap with the broader **Operation Dream Job** playbook. The same reporting also tied Pyongyang-linked operators to **Wagemole**, a parallel scheme in which forged identities are used to secure jobs at foreign companies for revenue generation and espionage, reinforcing government warnings that North Korea is abusing developer ecosystems such as **GitHub**, `npm`, and `PyPI` to evade sanctions and support state objectives.
Yesterday
North Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
1 months ago