Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

North Korea's Malicious Campaign: How Hackers Target Developers via Malicious VS Code Projects



North Korea-linked hackers have been using malicious Visual Studio Code projects to deliver backdoors on compromised endpoints, targeting software engineers in the cryptocurrency, blockchain, and fintech sectors. The attack campaign uses VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host.

  • North Korea-linked hackers are using malicious Microsoft Visual Studio Code (VS Code) projects to deliver backdoors on compromised endpoints.
  • The attackers use VS Code task configuration files to execute malicious payloads, which ultimately lead to the deployment of BeaverTail and InvisibleFerret malware.
  • The end goal is to abuse VS Code task configuration files to execute malicious payloads and gain unauthorized access to sensitive data and systems.
  • The attackers use an attack chain involving multiple delivery methods to increase the likelihood of success, including installing malicious npm dependencies and running JavaScript code.
  • The malware sets up a parallel Python environment using a stager script, enables cryptocurrency mining, keylogging, and remote access using AnyDesk.
  • Threat actors with ties to North Korea specifically target software engineers in cryptocurrency, blockchain, and fintech sectors for potential privilege escalation.



    • North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

    The world of cybersecurity has been rocked by a new and sophisticated campaign, where hackers affiliated with North Korea have been using malicious Microsoft Visual Studio Code (VS Code) projects to deliver backdoors on compromised endpoints. This campaign is the latest example of the country's continued efforts to expand its cyber espionage capabilities.

    According to reports from Jamf Threat Labs and Security Alliance, the threat actors associated with the Contagious Interview campaign have been observed using malicious VS Code projects as lures to deliver a backdoor on compromised endpoints. The campaign was first discovered in December 2025 and has since evolved into a more sophisticated attack method.

    The attackers are using VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host. The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option.

    The end goal of these efforts is to abuse VS Code task configuration files to execute malicious payloads, which ultimately lead to the deployment of BeaverTail and InvisibleFerret. The obfuscated JavaScript embedded with these files is executed as soon as the victim opens the project in the integrated development environment (IDE). It establishes communication with a remote server ("ip-regions-check.vercel[.]app") and executes any JavaScript code received from it.

    The attackers have also been using an attack chain that involves multiple delivery methods in tandem to increase the likelihood of success. This includes approaches such as installing a malicious npm dependency named "grayavatar" or running JavaScript code that's responsible for retrieving a sophisticated Node.js controller, which runs five distinct modules to log keystrokes, take screenshots, scan the system's home directory for sensitive files, substitute wallet addresses copied to the clipboard, credentials from web browsers, and establish a persistent connection to a remote server.

    The malware then proceeds to set up a parallel Python environment using a stager script that enables data collection, cryptocurrency mining using XMRig, keylogging, and the deployment of AnyDesk for remote access. The Node.js and Python layers are referred to as BeaverTail and InvisibleFerret, respectively.

    These findings indicate that the state-sponsored actors are experimenting with multiple delivery methods in tandem to increase the likelihood of success of their attacks. The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools.

    The attackers have also been using a previously undocumented infection method to deliver a backdoor that offers remote code execution capabilities on the compromised host. This starting point is no different in that it's activated when the victim clones and opens a malicious Git repository using VS Code.

    When the project is opened, Visual Studio Code prompts the user to trust the repository author. If this trust is granted, the application automatically processes the repository's tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system. On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime.

    The newly downloaded JavaScript is designed to beacon to the server every five seconds, run additional JavaScript, and erase traces of its activity upon receiving a signal from the operator. It's suspected that the script may have been generated using an artificial intelligence (AI) tool owing to the presence of inline comments and phrasing in the source code.

    Threat actors with ties to North Korea are known to specifically go after software engineers, particular those working in cryptocurrency, blockchain, and fintech sectors, as they often tend to have privileged access to financial assets, digital wallets, and technical infrastructure. Compromising their accounts and systems could allow the attackers unauthorized access to source code, intellectual property, internal systems, and siphon digital assets.

    The development comes as Red Asgard detailed its investigation into a malicious repository that has been found to use a VS Code task configuration to fetch obfuscated JavaScript designed to drop a full-featured backdoor named Tsunami (aka TsunamiKit) along with an XMRig cryptocurrency miner.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/North-Koreas-Malicious-Campaign-How-Hackers-Target-Developers-via-Malicious-VS-Code-Projects-ehn.shtml

  • https://thehackernews.com/2026/01/north-korea-linked-hackers-target.html

  • https://attack.mitre.org/software/S1245/

  • https://anyrun.substack.com/p/invisibleferret-malware-technical

  • https://github.com/advisories/GHSA-crhf-hxhx-8cx4

  • https://security.snyk.io/vuln/SNYK-JS-GRAYAVATAR-10872148

  • https://malpedia.caad.fkie.fraunhofer.de/details/win.tsunamikit

  • https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Python/TsunamiKit.SLXA!MTB

  • https://en.wikipedia.org/wiki/Lazarus_Group

  • https://dailysecurityreview.com/resources/lazarus-ransomware-group-the-north-korean-cyber-menace/

  • https://cybersecuritynews.com/north-korean-apt-hackers-create-companies-to-deliver-malware-strains/

  • https://www.silentpush.com/blog/contagious-interview-front-companies/


    • Published: Tue Jan 20 14:00:50 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us