‘Contagious Interview’ Attack Now Delivers Backdoor Via VS Code

Blending in With Developer Workflows

The North Korean threat actors behind the “Contagious Interview” campaign are now leveraging Microsoft Visual Studio Code to deliver a new JavaScript backdoor, enabling remote code execution on targeted developer systems. This is the latest evolution of a campaign active since late 2023, initially using fraudulent job recruitment schemes.

The attack exploits the trust mechanism within VS Code; once a developer trusts a malicious repository author, arbitrary commands are executed on their system without further interaction, highlighting a critical vulnerability in the software development lifecycle. Successful exploitation can lead to complete system compromise and data exfiltration, potentially costing organizations hundreds of thousands of dollars in remediation and lost intellectual property.

Key Insights

• Contagious Interview campaign, 2023-present: Targets software developers via fraudulent job recruitment.
• VS Code Trust Mechanism: Attackers exploit the automatic processing of malicious configuration files when a repository is trusted.
• JavaScript Payload: This is the first instance of Jamf observing a completely JavaScript-based payload in this campaign.

Practical Applications

• Use Case: North Korean actors targeting cryptocurrency and blockchain developers to steal credentials and gain unauthorized access.
• Pitfall: Blindly trusting repository authors in VS Code without reviewing the project’s contents can lead to silent malware execution.

References:

• https://www.darkreading.com/cyber-risk/contagious-interview-attack-delivers-backdoor