“Contagious” Code: North Korean Hackers Infiltrate Developer Workflows via Visual Studio Code
Ddos 
The “Contagious Interview” campaign, a sophisticated cyber-espionage operation attributed to North Korean (DPRK) threat actors, has evolved yet again. Security researchers at Jamf Threat Labs have uncovered a new infection vector that targets developers where they live: inside their code editors and package managers.
The campaign, which previously gained notoriety for using fake job interviews to lure victims, is now abusing Microsoft Visual Studio Code (VS Code) task configuration files to silently execute malicious payloads on victim machines.
The latest evolution in this campaign focuses on integrating malware directly into legitimate-looking developer workflows. The attackers are leveraging tasks.json files—configuration files used to automate tasks in VS Code—to run malicious commands.
According to the report, “the infection chain abuses Microsoft Visual Studio Code task configuration files, allowing malicious payloads to be executed on the victim system”. This method allows the attackers to hide in plain sight, as developers often trust repository configurations.
In December, Jamf Threat Labs observed an escalation of this tactic. “This included the introduction of dictionary files containing heavily obfuscated JavaScript, which is executed when a victim opens a malicious repository in Visual Studio Code”.
Earlier this week, researchers identified a “previously undocumented infection method” that takes advantage of the Node.js ecosystem. This technique involves the deployment of malicious code that is triggered when a developer runs the standard npm install command.
The malware beacons to a Command and Control (C2) server every 5 seconds, sending system details and waiting for instructions. It is highly capable, with the ability to “execute that additional JavaScript within a child process” and even “shut itself and child processes down and cleaning up if asked to do so by the attacker”.
Interestingly, the code bears the hallmarks of modern development tools. “It has inline comments and phrasing that appear to be consistent with AI-assisted code generation,” the report notes.
Threat actors are increasingly poisoning the tools and repositories that developers rely on. “The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools”.
Developers are urged to exercise extreme caution when interacting with third-party code. “Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents,” Jamf advises. Furthermore, standard commands like npm install should only be run on vetted projects, with careful scrutiny of “package.json files, install scripts, and task configuration files to help avoid unintentionally executing malicious code”.
Related Posts:
- North Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
- North Korea’s “Contagious Interview” Floods npm with 200 New Packages, Using Fake Crypto Jobs to Deploy OtterCookie Spyware
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
- North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
