{
  "name": "Tracking the VS Code Tasks Infection Vector",
  "slug": "tracking-the-vs-code-tasks-infection-vector",
  "description": "The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.",
  "published": "2026-01-23T09:13:28+00:00",
  "created_at": "2026-01-23T09:13:28+00:00",
  "modified_at": "2026-01-23T10:04:24+00:00",
  "created_at_opencti": "2026-01-23T09:13:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-23",
    "beavertail",
    "contagious interview",
    "github",
    "invisibleferret",
    "north korea",
    "npm",
    "obfuscation",
    "recruitment schemes",
    "software developers",
    "task files",
    "vs code"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "www.vscodeconfig.com"
      },
      {
        "id": "",
        "name": "https://www.regioncheck.xyz/settings/mac?flag=8'"
      },
      {
        "id": "",
        "name": "https://www.regioncheck.xyz/settings/linux?flag=8'"
      },
      {
        "id": "",
        "name": "www.regioncheck.xyz"
      },
      {
        "id": "",
        "name": "https://www.regioncheck.xyz/settings/windows?flag=8"
      },
      {
        "id": "",
        "name": "https://www.jsonkeeper.com/b/QJZCG"
      },
      {
        "id": "",
        "name": "andrew_watson@koinos.us"
      },
      {
        "id": "",
        "name": "philip@cryptoasis.com"
      },
      {
        "id": "",
        "name": "leandro@kasta.io"
      },
      {
        "id": "",
        "name": "aman.jaiswal@web3paymentsolutions.io"
      },
      {
        "id": "",
        "name": "kblucky0219@proton.me"
      },
      {
        "id": "",
        "name": "andrew@koinos.us"
      },
      {
        "id": "",
        "name": "bulat@parity.io"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:ce7dee528bdb0d1e",
        "name": "BeaverTail",
        "slug": "beavertail"
      },
      {
        "id": "legacy:malware:e091107a8b9fe2b9",
        "name": "InvisibleFerret",
        "slug": "invisibleferret"
      }
    ],
    "intrusion_sets": [
      {
        "id": "f84d0d4c-ec28-4155-b729-8e2c337a0d90",
        "name": "Lazarus Group",
        "slug": "lazarus-group"
      }
    ],
    "attack_patterns": [
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "brantwork.vercel.app"
      },
      {
        "id": "",
        "name": "vscodesettingstask.vercel.app"
      },
      {
        "id": "",
        "name": "task-hrec.vercel.app"
      },
      {
        "id": "",
        "name": "tailwind-version-four.vercel.app"
      },
      {
        "id": "",
        "name": "thopywork.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-project-setting.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-config-settings.vercel.app"
      },
      {
        "id": "",
        "name": "api-server-mocha.vercel.app"
      },
      {
        "id": "",
        "name": "isvalid-regions.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-load-config.vercel.app"
      },
      {
        "id": "",
        "name": "codeviewer-three.vercel.app"
      },
      {
        "id": "",
        "name": "codeviewer-fawn.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-settings-bootstrap.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-bootstrapper.vercel.app"
      },
      {
        "id": "",
        "name": "coreviewer.vercel.app"
      },
      {
        "id": "",
        "name": "editorsettings.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-config.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-settings-config.vercel.app"
      },
      {
        "id": "",
        "name": "isvalid-region.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-helper-132.vercel.app"
      },
      {
        "id": "",
        "name": "jerryfox-platform.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-helper171-ruby.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-config-setting.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-helper171.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-load.onrender.com"
      },
      {
        "id": "",
        "name": "vscode-toolkit-bootstrap.vercel.app"
      },
      {
        "id": "",
        "name": "vscode-lnc.vercel.app"
      }
    ]
  },
  "external_refs": [
    "https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector#appendix-indicators",
    "https://otx.alienvault.com/pulse/697349c8d32812c0e5094e4d"
  ]
}