Threat Intelligence, Supply chain

VS Code projects weaponized in developer-targeted Contagious Interview campaign

Korea North flag - 3D realistic waving flag on matrix digital ba

Illicit Microsoft Visual Studio Code projects have been harnessed by North Korean hackers to compromise software engineers in the cryptocurrency, fintech, and blockchain sectors with malware as part of the Contagious Interview campaign, The Hacker News reports.

Opening and cloning the malicious Git repository via VS Code automates processing of the repository's tasks.json configuration file, leading to the execution of a background shell command fetching a JavaScript payload that was then connected to macOS systems' Node.js runtime, according to an analysis from Jamf Threat Labs. Included in the Vercel-hosted JavaScript payload is the primary backdoor logic enabling host information exfiltration and remote server communications for subsequent remote code execution and system fingerprinting activities.

Such findings follow a Red Asgard report detailing the exploitation of a VS Code task configuration to facilitate the eventual deployment of the Tsunami backdoor, also known as TsunamiKit, and the XMRig cryptominer.

"This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows," said Jamf researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds