← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tracking the VS Code Tasks Infection Vector
WHITE Lazarus Group AlienVault 2026-01-23 Modified: 2026-01-23
40
IOCs
MEDIUM VOLUME
The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.
githubnorth koreasoftware developersvs codetask filesobfuscationcontagious interviewrecruitment schemesbeavertailnpminvisibleferret
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
BeaverTail InvisibleFerret
Indicators of Compromise (40)
All URL hostname email
TYPEINDICATORDESCRIPTIONCREATED
URL https://www.jsonkeeper.com/b/QJZCG 2026-01-23
URL https://www.regioncheck.xyz/settings/linux?flag=8' 2026-01-23
URL https://www.regioncheck.xyz/settings/mac?flag=8' 2026-01-23
URL https://www.regioncheck.xyz/settings/windows?flag=8 2026-01-23
hostname www.regioncheck.xyz 2026-01-23
hostname www.vscodeconfig.com 2026-01-23
hostname api-server-mocha.vercel.app 2026-01-23
hostname brantwork.vercel.app 2026-01-23
hostname codeviewer-fawn.vercel.app 2026-01-23
hostname codeviewer-three.vercel.app 2026-01-23
hostname coreviewer.vercel.app 2026-01-23
hostname editorsettings.vercel.app 2026-01-23
hostname isvalid-region.vercel.app 2026-01-23
hostname isvalid-regions.vercel.app 2026-01-23
hostname jerryfox-platform.vercel.app 2026-01-23
hostname tailwind-version-four.vercel.app 2026-01-23
hostname task-hrec.vercel.app 2026-01-23
hostname thopywork.vercel.app 2026-01-23
hostname vscode-bootstrapper.vercel.app 2026-01-23
hostname vscode-config-setting.vercel.app 2026-01-23
hostname vscode-config-settings.vercel.app 2026-01-23
hostname vscode-config.vercel.app 2026-01-23
hostname vscode-helper-132.vercel.app 2026-01-23
hostname vscode-helper171-ruby.vercel.app 2026-01-23
hostname vscode-helper171.vercel.app 2026-01-23
hostname vscode-lnc.vercel.app 2026-01-23
hostname vscode-load-config.vercel.app 2026-01-23
hostname vscode-load.onrender.com 2026-01-23
hostname vscode-project-setting.vercel.app 2026-01-23
hostname vscode-settings-bootstrap.vercel.app 2026-01-23
hostname vscode-settings-config.vercel.app 2026-01-23
hostname vscode-toolkit-bootstrap.vercel.app 2026-01-23
hostname vscodesettingstask.vercel.app 2026-01-23
email aman.jaiswal@web3paymentsolutions.io 2026-01-23
email andrew@koinos.us 2026-01-23
email andrew_watson@koinos.us 2026-01-23
email bulat@parity.io 2026-01-23
email kblucky0219@proton.me 2026-01-23
email leandro@kasta.io 2026-01-23
email philip@cryptoasis.com 2026-01-23
References (1)
↗ https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector#appendix-indicators