Cybersecurity

Cyber: North Korea-linked Hackers Target Developers Via Malicious Vs Code...

2026-01-20 0 views admin
Cyber: North Korea-linked Hackers Target Developers Via Malicious Vs Code...

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints.

The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said.

"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

First disclosed by OpenSourceMalware last month, the attack essentially involves instructing prospective targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.

The end goal of these efforts is to abuse VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host. The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option. This ultimately leads to the deployment of BeaverTail and InvisibleFerret.

Subsequent iterations of the campaign have been found to conceal sophisticated multi-stage droppers in task configuration files by disguising the malware as harmless spell-check dictionaries as a fallback mechanism in the event the task is unable to retrieve the payload from the Vercel domain.

Like before, the obfuscated JavaScript embedded with these files is executed as soon as the victim opens the project in the integrated development environment (IDE). It establishes communication with a remote server ("ip-regions-check.vercel[.]app") and executes any JavaScript code received from it. The final stage delivered as part of the attack is another heavily obfuscated JavaScript.

Jamf said it discovered yet another change in this campaign, with the threat actors using a previously undocumented infection method to deliver a backdoor that offers remote code execution capabilities on the compromised host. The starting point of the attack chain is no different in that it's activated when the victim clones and opens a malicious Git repository using VS Code.

"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained. "If that trust is granted, the application automatica

Source: The Hacker News

🏷️ Tags

securityhackmalwareattackthreat

More from Cybersecurity

Cyber: Chainlit AI Framework Bugs Let Hackers Breach Cloud Environments

Cyber: Chainlit AI Framework Bugs Let Hackers Breach Cloud Environments

2026-01-21 0
Cyber: Cisco Fixes Unified Communications RCE Zero Day Exploited In Attacks

Cyber: Cisco Fixes Unified Communications RCE Zero Day Exploited In Attacks

2026-01-21 0
Cyber: New Android Malware Uses AI To Click On Hidden Browser Ads 2026

Cyber: New Android Malware Uses AI To Click On Hidden Browser Ads 2026

2026-01-21 0
Cyber: 'contagious Interview' Attack Now Delivers Backdoor Via Vs Code

Cyber: 'contagious Interview' Attack Now Delivers Backdoor Via Vs Code

2026-01-21 0

Trending

1

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

2026-01-15 • 4457 views
2

Tech: Data is the only moat

2026-01-15 • 4133 views
3

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

2026-01-15 • 3239 views
4

Tech: AWS European Sovereign Cloud

2026-01-15 • 2741 views
5

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3

2026-01-15 • 2719 views