(Image credit: Getty Images)

• Lazarus group’s Contagious Interview campaign abuses Visual Studio Code via malicious Git repositories
• Attackers deliver JavaScript payloads on macOS, enabling persistent data harvesting and C2 communication
• Jamf urges enabling advanced threat controls and caution with untrusted repositories

As part of the infamous Contagious Interview campaign, North Korean threat actors were seen abusing legitimate Microsoft Visual Studio Code in their attacks.

Contagious Interview is a hacking campaign in which the Lazarus group (and other state-sponsored North Korean actors) create fake jobs and invite software and blockchain developers in Western countries for interviews.

During the interview process, they trick the victims into deploying malware on their devices, granting the attackers unabated access to their computers, as well as their current employers’ networks.

How to stay safe

The campaign is quite successful, too, as it is blamed for some of the biggest crypto heists in recent years.

In a new report, security researchers from Jamf detailed “an evolution in the techniques used during earlier stages of the campaign.” They said the attackers would first create a malicious Git repository, and host it on platforms such as GitHub, or GitLab.

After that, during the "interview" process, they would trick the victim into cloning and opening the repository using Microsoft Visual Studio Code. The tool would prompt the victim to trust the repository author and if that happens, the app automatically processes the tasks.json configuration file that triggers embedded arbitrary commands.

On macOS, these commands use a background shell to remotely retrieve a JavaScript payload (often from a platform like Vercel) and pipe it into the Node.js runtime.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The JavaScript payload then executes, establishing a persistent loop that harvests host information (hostname, MAC addresses, and OS details) and communicates with a remote command-and-control (C2) server. Finally, the backdoor periodically pings the C2 server, sending system data and receiving further malicious JavaScript instructions.

“We strongly recommend that customers ensure Threat Prevention and Advanced Threat Controls are enabled and set to block mode in Jamf for Mac to remain protected against the techniques described in this research,” Jamf warned.

“Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unfamiliar sources. Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents,” they added.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.