Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains - Part 1
Essential information
- Published
- 27/02/2026 09:29
- Modified
- 27/02/2026 10:00
- Tags
- 2026-02-27 beavertail bytecode vm cursor github gists ide obfuscation payload staging pyarmor url shorteners visual studio code weaselstore
- Related entities
- 6 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 5 others
Description
This intelligence report details the evolution of malware delivery techniques targeting integrated development environments (IDEs) like Visual Studio Code and Cursor. The threat actors, known as Contagious Interview, have expanded their payload staging methods to include GitHub Gists, URL shorteners, Google Drive, and custom domains. New infection chains involve complex loaders, including a custom stack-based bytecode VM and PyArmor-protected Python malware. The report highlights the actors' adaptability in response to takedowns and community reporting, showcasing their use of various obfuscation techniques and masquerading tactics. Detection opportunities and indicators of compromise are provided, including suspicious process behaviors, file paths, and network requests.