{
	"id": "b0c37897-edbd-4b1e-bbd7-d59bd498cf1a",
	"created_at": "2026-04-06T01:31:03.496513Z",
	"updated_at": "2026-04-10T13:12:20.270988Z",
	"deleted_at": null,
	"sha1_hash": "5ad3d3124479963127071e5bc733dfc03032964b",
	"title": "Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 913065,
	"plain_text": "Contagious Interview: Evolution of VS Code and Cursor Tasks Infection\r\nChains Part 2\r\nBy Abstract Security Threat Research Organization (ASTRO)\r\nPublished: 2026-03-10 · Archived: 2026-04-06 01:24:04 UTC\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nSummary\r\n*Abstract customers already have visibility into the behaviors described in this report.\r\nThis post is a continuation of Part 1 which covered new techniques used in the Contagious Interview campaign. For\r\ncomplete context on VS Code task abuse in the campaign, please see the original post on tracking this vector. In this final\r\npart, we expand on the previous post and cover in greater detail what options are currently available to mitigate VS Code\r\nTasks abuse.\r\nFindings\r\nWhat WeaselStore Has in Store\r\nThe previous post observed the use of GitHub Gist-hosted scripts to download and execute next-stage payloads which\r\nsubsequently led to installation of WeaselStore infostealer/RAT. WeaselStore targeting Windows is implemented in Python\r\n(AKA PylangGhost) while the variant targeting macOS is written in Go (AKA GolangGhost). The samples make heavy use\r\nof LLM-generated code, and with it comes a number of bugs and redundant logic.\r\nBoth PylangGhost and GolangGhost are known to be used by Contagious Interview and have been thoroughly analyzed by\r\nother researchers, so we will only briefly cover aspects of the samples from this chain.\r\nPylangGhost Deployment\r\nIn the Windows route, a PowerShell script masquerading as an NVIDIA CUDA Toolkit installer downloads a ZIP from the\r\ndomain camdriver[.]pro to the AppData\\Local\\Temp folder as driver.zip and extracts its contents to the same temp\r\nlocation. It then launches start.vbs from the extracted directory using wscript.exe in a hidden window.\r\nThe VBScript file extracts a bundled Python environment from Module.zip in the same folder and runs a Python script\r\nwith the following command in a hidden window:\r\ncmd.exe /c svchost.exe updatedriver.py\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 1 of 6\n\nNote that the svchost.exe binary here is actually a Python interpreter, which can be a dead giveaway for detection based\r\non the file's location outside of system files and Original filename of \"python.exe\".\r\nThe Python script decodes and executes Base64-encoded content which serves as the entrypoint to PylangGhost. Notably,\r\nthe script sets surprisingly run-of-the-mill persistence mechanisms. If running with administrative privileges it creates a\r\nscheduled task named \"svchost\" that runs at every logon with highest privileges.\r\nschtasks /Create /TN \"svchost\" /TR \u003cpayload\u003e /SC ONLOGON /RL HIGHEST /RU \u003cuser\u003e\r\nIt falls back to a registry HKCU/Run key named \"svchost\" or user startup folder persistence if not running as admin. The\r\nscheduled task and run key mechanisms register wscript.exe start.vbs whereas the startup folder would just contain\r\nstart.vbs . If the logic is run from a compiled Python executable, the mechanisms would instead point to its own EXE.\r\nThe C2 server IP and port are hardcoded - hxxp://144.172.115[.]189:8080 .\r\nGolangGhost Deployment\r\nFor macOS, the next stage is a bash script that downloads a ZIP from camdriver[.]pro to /var/tmp/WebCam.zip , extracts\r\nto /var/tmp/WebCam/ , makes all extracted contents executable using chmod -R a+x , then immediately executes\r\ncloud.sh from the extracted directory.\r\nThe script also persists /var/tmp/WebCam/cloud.sh via LaunchAgent, writing a launchd plist to\r\n~/Library/LaunchAgents/com.drive.plist with the label \"com.camdrive\" that runs on every login. It opens a\r\nMyCamDriv.app bundle as well, but unlike previous reporting where this would be a Mach-O malware (ChromeUpdateAlert\r\nAKA FrostyFerret), the content of the .app in this sample was empty.\r\nAs previously documented, the GolangGhost source is not compiled and relies on a bundled Go binary for execution, started\r\nby cloud.sh with:\r\n./bin/go run updatedriver.go\r\nThe C2 server and port are the same used by the PylangGhost sample, but there is an additional server and port commented\r\nout - hxxp://23.227.203[.]99:8080 .\r\nReusing Backdoored GitHub Repositories\r\nAlong with churning out new repositories backdoored with automated tasks, there are cases where the Contagious Interview\r\nactors cycle through payload staging URLs in the same repo. In the recent case of LimitBreakOrgs/bet_ver_1, the latest\r\ncommit as of this post swaps a new Vercel staging domain into tasks.json . That commit is preceded by 3 other commits\r\nrotating the stager URL here, here, and here.\r\nIt also sneaks a backdoor into the application code itself, showing that the actors stack techniques. The backdoor is a\r\nContagious Interview technique that has already been well documented, marked by node process.env exfiltration to\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 2 of 6\n\nhxxps://ip-checking-notification-firebase-2.vercel[.]app/api and arbitrary execution of the response payload.\r\nMitigations\r\nNew VS Code Releases\r\nIn response to reporting on VS Code Tasks abuse, Microsoft included a mitigation in the January 2026 update (version\r\n1.109) released in early February. This release disabled automatic task execution by default, whereby the\r\ntask.allowAutomaticTasks user setting is no longer set to \"on\" unless modified by the user.\r\nThe update also prevents the setting from being defined at the workspace level, so malicious repositories with their own\r\n.vscode/settings.json file should not be able to override the user (global) setting.\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 3 of 6\n\nThis version and the recent February 2026 (version 1.110) release also introduce a secondary prompt that warns the user\r\nwhen an auto-run task is detected in a newly opened workspace. This acts as an additional guard after a user accepts the\r\nWorkspace Trust prompt.\r\nAn Important Caveat\r\nHowever, note that selecting to allow automatic tasks is not scoped to just that workspace, but rather sets the global\r\ntask.allowAutomaticTasks user setting back to \"on\", which affects all workspaces. This means that, while the additional\r\nprompt is an improvement for mitigation, it isn't a fail-safe. Along with Workspace Trust and Extension Update settings, the\r\nAutomatic Tasks setting should also be regularly audited as part of application policies.\r\nAs of early March 2026, organizations and VS Code users are advised to update to the latest version 1.110 and ensure that\r\ntask.allowAutomaticTasks is set to \"off\" in user settings.json , which is located by default at the following paths:\r\nmacOS - ~/Library/Application Support/Code/User/settings.json\r\nWindows - %APPDATA%\\Code\\User\\settings.json\r\nLinux - ~/.config/Code/User/settings.json\r\nDetection Opportunities\r\nWindows binary masquerading as svchost.exe - A process named svchost.exe located outside of\r\nC:\\Windows\\System32 and C:\\Windows\\SysWOW64 , or whose PE Original Filename metadata does not resemble\r\nsvchost.exe is a strong masquerading indicator.\r\nwscript.exe launched from PowerShell or CMD prompt - While this can occur legitimately, it is generally an unusual\r\nprocess relationship.\r\nwscript.exe launching scripts from temp directories - wscript.exe executing .vbs files from %TEMP% or its\r\nsubdirectories, particularly when the VBScript spawns cmd.exe or script interpreters in hidden windows.\r\nScheduled task or Run key named \"svchost\" - A scheduled task or\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run value named \"svchost\". The real svchost.exe is managed by\r\nthe Service Control Manager, not by scheduled tasks or registry autoruns.\r\nLaunchAgent executing from /var/tmp/ - A LaunchAgent plist in ~/Library/LaunchAgents/ referencing shell scripts or\r\nexecutables in /var/tmp/ .\r\nGo source runtime compilation from temp or user-writable directories - go run executing .go source files from\r\n/var/tmp/ , /tmp/ , or similar directories. Legitimate Go development does not typically compile and run source from\r\ntemp locations.\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 4 of 6\n\nPortable Python or Go runtime extracted to unusual locations - Extraction of a bundled runtime environment (e.g. a\r\nPython distribution or a standalone Go binary) to temp folders or non-standard installation paths.\r\nMass executable permission changes after archive extraction - chmod -R a+x applied to a directory shortly after\r\nextracting an archive. Blanket executable permissions on all extracted contents are unusual.\r\nConclusion\r\nIt's easy to dwell on all the various ways that VS Code and Cursor automated tasks can be abused, but the bottom line for\r\ndefenders is how to mitigate and detect the vector. With the updates to VS Code in recent releases that reduce the likelihood\r\n(to an extent) of successful social engineering to execute malicious tasks, organizations and individuals should ensure their\r\napplications are up to date, and that key user settings are regularly audited to ensure that task auto execution is disabled.\r\nAppendix\r\nIndicators\r\nSome indicators featured in this post have already been listed in Part 1.\r\nIP Addresses\r\nIPv4 Description\r\n144.172.115[.]189 PylangGhost and GolangGhost C2 server (port 8080 )\r\n23.227.203[.]99 GolangGhost C2 server (port 8080 ) (commented out in sample)\r\nDomains\r\nDomain Description\r\nvscode-settings-tasks-227.vercel[.]app Payload endpoint in tasks file\r\nip-checking-notification-firebase-2.vercel[.]app Node process.env exfiltration and response payload endpoint\r\nHashes\r\nSHA-256 Hash Description\r\n9b5394f76c5a71965593159d82281f6763944e6742e87a8647c464691b48763c updatedriver.py (part of PylangGhost)\r\n200cd1d874e345a3a3f04d2059f2a1a01e6769a7720c2a43b2e5dd85b77c7e64 updatedriver.go (part of GolangGhost)\r\nFile Paths and Artifacts\r\nArtifact\r\nAppData\\Local\\Temp\\driver.zip\r\nstart.vbs\r\nModule.zip\r\nsvchost.exe (PE Original Filename: python.exe )\r\nupdatedriver.py\r\nScheduled task named svchost\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 5 of 6\n\nArtifact\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost\r\n/var/tmp/WebCam.zip\r\n/var/tmp/WebCam/\r\n/var/tmp/WebCam/cloud.sh\r\n/var/tmp/WebCam/bin/go\r\nupdatedriver.go\r\n~/Library/LaunchAgents/com.drive.plist\r\nMyCamDriv.app\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQCKa45DiAIAJseCSBhB5Gg1HOwY9+/lzTuz4bpSWuEBYCrGSclBFeegekgFvJ95+UJavOMm0fKh581Ee3E8BGOJ2MdhaIXSlfa8Pe9vyLH\r\nrsa-key-20260210\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQDBDcBOws9B20niFttGbKqkMUIL8r/z5PPQQ0qS2dIIt96opEAYGrg40YvTrJQpfEK8fdGFtK2CKWOfe8rD0OdXEjmsx8QZpC5noVsYt5e\r\nrsa-key-20260211\r\nGitHub Repositories\r\nRepository Description\r\nLimitBreakOrgs/bet_ver_1 Backdoored repo with rotating stager URLs in tasks.json and application code backdoor\r\nAssociated Users\r\nUser Description\r\nLimitBreakOrgs Owner of bet_ver_1 repo\r\nWe would love you to be a part of the journey, lets grab a coffee, have a chat, and set up a demo!\r\nYour friends at Abstract AKA one of the most fun teams in cyber ;)\r\nThank you!\r\nYour submission has been received.\r\nOops! Something went wrong while submitting the form.\r\nSource: https://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nhttps://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.abstract.security/blog/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2"
	],
	"report_names": [
		"contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439063,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ad3d3124479963127071e5bc733dfc03032964b.pdf",
		"text": "https://archive.orkl.eu/5ad3d3124479963127071e5bc733dfc03032964b.txt",
		"img": "https://archive.orkl.eu/5ad3d3124479963127071e5bc733dfc03032964b.jpg"
	}
}