Why North Korean Hackers Are Targeting Devs Through Visual Studio Code Projects

-


There’s a new backdoor campaign going around. It’s slick, it’s persistent, and it’s targeting developers — specifically those using Microsoft Visual Studio Code (VS Code) as part of their day-to-day workflow.

This one’s coming out of North Korea. And it's not just some throwaway malware — it's part of a broader shift in how state-linked actors are slipping past traditional defences by piggybacking off developer tools and trusted platforms.

The Basics: Dev Tools as Attack Vectors


Security researchers at Jamf Threat Labs have uncovered the latest iteration of an ongoing campaign (nicknamed Contagious Interview) that’s weaponising VS Code projects.

The method? Attackers instruct targets — usually software engineers — to clone a GitHub, GitLab, or Bitbucket repository and open it in VS Code. They pose as recruiters or hiring managers offering a technical assessment.

Once the repo is opened, a malicious tasks.json file is silently executed in the background — taking advantage of a legit VS Code feature that lets projects run commands when opened.

No phishing link. No sketchy email attachment. Just a developer doing their job and opening a project.

How It Works: Quiet, Cross-Platform, Persistent


Let’s get specific.

  • When the project is opened, VS Code prompts the user to “trust” the project. If the user says yes, VS Code automatically processes the tasks.json file.
  • That file includes commands set to run on folder open, which triggers a remote payload — typically obfuscated JavaScript hosted on Vercel.
  • On macOS, that script gets pulled down using curl and piped straight into Node.js using a nohup bash command — so it keeps running even if VS Code is closed.
  • The result? A full backdoor that allows remote code execution, system reconnaissance, persistent communications, and ultimately, control.

The payloads are referred to as BeaverTail (Node.js layer) and InvisibleFerret (Python layer). These aren’t hobbyist tools — they’re modular, evasive, and built for flexibility.

What They’re After and Why Developers


This isn’t random. North Korean state-backed actors (DPRK-linked groups) are going after developers in high-value sectors: crypto, blockchain, fintech. They know what’s at stake.

Why target devs?

  • Developers often have direct access to source code, infrastructure, or wallet environments.
  • A compromised dev workstation is a great pivot point — it gives attackers visibility into internal systems, credentials, and in some cases, keys to the kingdom.
  • The engineering workflow is relatively under-defended. It’s easier to smuggle malware through a trusted Git repo than to trick a SOC-monitored email gateway.

In short, devs are an increasingly valuable — and vulnerable — attack surface.

Fallbacks, Obfuscation, and AI-Generated Malware

The attackers aren’t relying on just one method either. If the initial payload doesn’t download correctly, the task file falls back to spell check dictionaries that are actually droppers.

In more advanced cases, the malware uses multi-stage delivery:

  • Initial backdoor using Node.js
  • Secondary payloads for keylogging, clipboard hijacking, and browser credential theft
  • Python-based modules for persistence and crypto mining via XMRig
  • Remote access tools like AnyDesk

Some of the JavaScript even shows signs of being generated by AI tooling — likely to help speed up development, avoid detection, or randomise behaviour.

Social Engineering Still Works — Just in New Ways


Notably, in at least one case, the attackers approached a developer on LinkedIn pretending to be a CTO for a blockchain startup. They shared a link to a Bitbucket repo hosted in a Notion document — again, all looking clean and professional.

This isn’t spearphishing in the traditional sense — it’s spearcloning. Clean repo. Real-looking code. Familiar developer tools. The attack happens inside the IDE.

It’s clever. And it’s dangerous.

What Aussie Tech Leaders Should Actually Care About

This isn’t just a developer problem. It’s a supply chain issue and a workforce security blind spot. If your teams include engineers, devops, or contractors who use Git-based workflows and VS Code this affects you.

Key takeaways:

  • Trust Prompts Aren’t Security Controls
    Most devs click "Trust" in VS Code by default. They’re conditioned to. Don’t assume they’re scrutinising every project they open.
  • VS Code Is a Legitimate Execution Vector
    This isn’t an exploit it’s a feature being abused. That makes detection harder and response slower.
  • Your Dev Environments Are Now a Target
    That nice clean MacBook Pro your blockchain engineer uses? It’s probably more exposed than your Windows fleet and more valuable if popped.
  • Recruitment-Based Attacks Are on the Rise
    Threat actors are mimicking hiring processes. That “technical assessment” could be malware. Your HR and security teams should be aware of this vector.
  • Detection Will Lag
    Standard EDR and AV won’t flag a trusted IDE executing a repo’s config file especially when the payload is hosted on a legit domain like Vercel.

What to Do About It

Let’s keep it practical:

  • Educate your dev teams
    Make sure developers know that opening random GitHub projects in VS Code isn’t risk-free. Bake security awareness into onboarding  not just for corporate systems, but for coding practices.
  • Review Git-based workflows
    If you're running private Git servers or using public repos for assessments, revisit your hygiene. Disable auto-execution of tasks where possible.
  • Instrument your environments
    Can you monitor unexpected Node.js or Python activity on developer machines? Probably not today but you should.
  • Threat model for dev tools
    Stop assuming the IDE is sacred. It’s just another process that can be hijacked. Include it in your attack simulations and red teaming.

Final Word



North Korean actors aren’t just after government secrets or nuclear IP anymore. They're targeting software engineers with access to money, code, and infrastructure. And they’re doing it through platforms we trust every day GitHub, VS Code, LinkedIn.







If you’re in cybersecurity, IT leadership, or managing dev teams this isn’t a story to file away under “interesting.” This is a story that belongs in your next team briefing.

Because if you’re still treating developer tools as safe by default, you’re already behind.

Want more breakdowns like this, minus the spin?
Follow TheCyberGuyAU on LinkedIn or subscribe to the blog for grounded takes that help you stay ahead of real threats not vendor headlines.

Comments

Post a Comment

Most Viewed

Qantas Breach: 6 Million Customers at Risk in Major Cyber Attack

-
Image
Date: July 2nd 2025 By: | TheCyberGuyAU Qantas has confirmed a cyber attack has exposed the personal data of millions of its customers — a stark reminder that no brand, no matter how trusted, is immune. What happened? On Monday, Qantas detected unusual activity on a third-party system used by its call centre . That system, now confirmed as compromised, held records for 6 million customers . The initial investigation suggests that a “significant proportion” of the data has been stolen. Names Email addresses Phone numbers Dates of birth Frequent flyer numbers The good news? Qantas says no credit card data, passport numbers, or login credentials were involved. “Our customers trust us with their personal information and we take that responsibility seriously.” — Qantas CEO Vanessa Hudson Who’s behind it? While Qantas has not officially confirmed the group responsible, cybersecurity analysts at CyberCX say the attack has the hallmarks of Scatt...
Read more

Key Reforms Under the Privacy and Other Legislation Amendment Act 2024

-
Image
  Key Reforms Under the Privacy and Other Legislation Amendment Act 2024 1. New Statutory Tort for Serious Invasions of Privacy The Act introduces a new statutory tort , allowing individuals to sue for serious privacy invasions . This includes: Physical privacy violations and misuse of personal information The invasion must be intentional or reckless and serious The individual must have had a reasonable expectation of privacy A public interest test balancing privacy against competing interests Action Steps for Organisations: ✅ Review and update internal privacy policies to address both data breaches and broader privacy concerns , including physical privacy violations. ✅ Conduct regular privacy impact assessments for new projects involving personal data. ✅ Train employees on what constitutes intentional or reckless privacy invasions and how to prevent them. 2. Stronger Enforcement Powers for the OAIC (Office of the Australian Information Commissioner) The OAIC now has enhanced ...
Read more

Why Penetration Testing Is No Longer Optional for Australian Businesses (Even Small Ones)

-
Image
From Superannuation Breaches to Ransomware – Why Pen Testing Is a Must for Aussie Businesses You’re not too small to be a target. And you’re not too “secure” to be breached. One of the most effective ways to take control of your cybersecurity posture is through penetration testing (also called "pen testing"). But many SMBs still see it as something only for banks or ASX-listed giants. That thinking? It’s outdated, risky, and costly in the long run. What Is Penetration Testing, Really? Penetration testing simulates a real cyberattack on your business — without the actual damage. A skilled ethical hacker (or “red team”) tries to break into your systems, apps, or cloud services the same way a malicious actor would. But instead of stealing your data, they show you exactly how they got in and how to fix it. To identify real-world weaknesses before someone else does. Why It Matters More Now — Especially in Australia Cyber attacks against Australian businesses a...
Read more

Penetration Testing for Small Businesses in Australia

-
Image
A Practical Guide for Companies Under $2 Million Turnover Why Pen Testing Isn’t Just for Big Business If you're running a growing business, you might assume cybercriminals are only interested in the big guys — banks, government, multinationals. But here’s the reality: Small businesses are targeted more often — and hit harder. Why? Because attackers know smaller teams often: ๐Ÿ” Reuse passwords ⏰ Skip regular patching ๐Ÿ‘จ‍๐Ÿ’ป Don’t have a full-time IT or cyber team ๐Ÿงช Aren’t testing their defences proactively And that’s where Penetration Testing comes in. What Is Penetration Testing? Penetration testing (or pen testing) is the process of simulating a real-world cyberattack on your systems — not to break things, but to uncover your weak spots before an attacker does . A good pen tester will: ๐Ÿ•ต️ Mimic the tactics of real hackers ๐Ÿšช Attempt to bypass your existing security controls ๐Ÿ“„ Report back with clear insights on what could be exploit...
Read more