North Korean threat actors behind the continuously evolving Contagious Interview job scam are using malicious Microsoft Visual Studio Code (VS Code) projects that, if opened by developers, will deploy a backdoor to their systems and allow for remote code execution.

Researchers with Jamf Threat Labs discovered the threat earlier this week, noting that it’s a variation of the latest iteration of the Contagious Interview campaign that Jamf and OpenSourceMalware first wrote about late last year.

The VS Code-based attack is the latest evolution of the espionage campaign, which launched in 2022 and is part of a larger effort by North Korean-sponsored threat groups – particularly Lazarus Group – to steal money and information through fake job openings and IT worker scams, where operatives use false identities and credentials to get software engineering jobs with tech companies around the world.

“In this campaign, infection begins when a victim clones and opens a malicious Git repository, often under the pretext of a recruitment process or technical assignment,” the Jamf researchers wrote in a report. “The repositories identified in this activity are hosted on either GitHub or GitLab and are opened using Visual Studio Code.”

Backdoor is Opened

When the developer opens the project, VS Code prompts them to trust the repository offer. If that happens, the software automatically processes the repository’s configuration file, which leads to the execution of embedded arbitrary commands on the system, they wrote.

On systems running macOS, opening the project leads to the execution of a background shell command to remotely retrieve a JavaScript payload and send it into the Node.js runtime. This independently continues the execution and suppresses all command output if the VS Code process is terminated.

The JavaScript payload, which implements the core backdoor logic, at first glance seems large. However, much of the code is unused functions and is not put into play during the process. Instead, it’s used to increase the size and complexity of the script, but doesn’t affect behavior.

Those components that are used establish a persistent execution loop that collects information about the system and communicates with the command-and-control (C2) server.

Remote Code Execution is Job 1

“While the JavaScript payload, which is hosted on the Vercel platform, contains a significant amount of unused code, the backdoor’s core functionality is implemented through a small number of routines,” the researchers wrote. “These routines provide remote code execution, system fingerprinting, and persistent C2 communication. The payload includes a function that enables the execution of arbitrary JavaScript while the backdoor is active. At its core, this is the main functionality of this backdoor.”

The malware collects information from the infected system, including hostname, MAC addresses from network interfaces, and operating system details. This gives the attacks a “stable fingerprint” the North Korean agents can use to identify affected hosts and link them to a specific campaign.

The backdoor also queries the external service ipify.org to determine the system’s public-facing IP address, a tactic that researchers from Jamf and other research groups has seen in other campaigns linked to the Democratic People’s Republic of Korea (DPRK).

Quick Execution

They saw that JavaScript instructions were executed about eight minutes after the initial infection and noted that the backdoor checks back with the C2 server every five seconds to deliver system details and to ask for other JavaScript instructions. It can also shut down itself and child processes if commanded by the attacker, and has inline comments and phrasing that indicate some of the code was generated by AI.

“This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows,” the researchers wrote. “The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools.”

Developers Need to Be Cautious

They also warned developers to be careful when interacting with third-party repositories, particularly those shared directly or originating from an unfamiliar source.

“Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents,” the researchers cautioned. “Similarly, ‘npm install’ should only be run on projects that have been vetted, with particular attention paid to package.json files, install scripts, and task configuration files to help avoid unintentionally executing malicious code.”