Tracking the VS Code Tasks Infection Vector
Essential information
- Published
- 23/01/2026 10:13
- Modified
- 23/01/2026 11:04
- Tags
- 2026-01-23 beavertail contagious interview github invisibleferret north korea npm obfuscation recruitment schemes software developers task files vs code
- Related entities
- 13 observables, 1 intrusion sets (apt), 5 techniques (mitre), 2 malware, 27 others
Description
The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.