← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Contagious Interview-style "jackpot" lure — VSCode folderOpen tasks and npm prepare BeaverTail variant
2026-04-29: fake LinkedIn recruiter ("John Armour Lamont") lures Web3 developer into opening github.com/Novara1o1/jackpot in VSCode. Tradecraft overlaps DPRK-attributed Contagious Interview activity; no hard attribution asserted.
4 compromise paths in the repo:
1. VSCode tasks.json runOn:folderOpen — auto-exec on open. Stealth: 233-space padding before `command:` + wordWrap:off + reveal:silent + benign install-root-modules cover task.
2. package.json `prepare` hook → `node server/server.js` on `npm install`.
3. BeaverTail Node.js RCE — server/routes/api/auth.js POSTs {...process.env} to base64-hidden AUTH_API; response eval'd via `new Function(require, resp.data)`.
4. Auth backdoor — controllers/auth.js hard-codes `isMatch=true`.
16 stager hostnames rotated since 2026-01-27, mostly Vercel. ≥4 operator GitHub identities (3 deleted).
Family: BeaverTail; no InvisibleFerret observed. 38 IOCs on ThreatFox, 4 URLs on URLhaus. Full write-up: see Reference.
MITRE ATT&CK & Malware Families
Indicators of Compromise (54)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA256 | 30e37d930ac9462bff41bee6f13bc94fb5c38f331b7621490bb0b43640a486f0 | Full GitHub repo ZIP jackpot-main.zip (2026-04-29) | 2026-05-05 | |
| FileHash-SHA256 | 5cb088f8471cad861d18e64c9cf2b692236813e982fb04ab9283f4cf7b5ee11f | Current malicious tasks.json (2375 B) | 2026-05-05 | |
| FileHash-SHA256 | cc9e443872d99b07e4bf5f6baa6144fbe0fd24bc610e58340d9b8c755df17fce | Trojanized server/controllers/auth.js (auth-bypass) | 2026-05-05 | |
| FileHash-SHA256 | b6987d7732888b73a836c7320fbdc0c0fe5d1238584be66f68371481dc3667ab | Trojanized server/routes/api/auth.js (top-level validateApiKey trigger) | 2026-05-05 | |
| FileHash-SHA256 | 2a71e0d2d2c576fe1137c8a7412e6d7bf900249c5ec6ee3db8ee4f1afd66187b | Committed .env with base64-hidden AUTH_API | 2026-05-05 | |
| FileHash-SHA256 | 9d777720bafc548807a94ae67489baf2342c78fcb3d469032523ea2f94973d54 | tasks.json — 2026-01-27 (first malicious) | 2026-05-05 | |
| FileHash-SHA256 | 22d5d04000915603c7f144fde8e31b451fb814588b5f18bb4840c8ddf14793f3 | tasks.json — 2026-02-03 | 2026-05-05 | |
| FileHash-SHA256 | ceff282f32aae9ce3dea6a9b00212e6de90669646180cb5e5bb6bf5353527bbd | tasks.json — 2026-02-20 | 2026-05-05 | |
| FileHash-SHA256 | a7cd162c691ad71a4c0c5955765d8f7a60d8b7b9a92b277b1ae74b280644cdf8 | tasks.json — 2026-02-23 | 2026-05-05 | |
| FileHash-SHA256 | 5f70dd06715b95b3bedacd06a37e051611901e56246af05fa3ed9f734082de43 | tasks.json — 2026-02-27 | 2026-05-05 | |
| FileHash-SHA256 | 363b03a66ccf5d6f8e1632ee33dd37d6e8c4998ac00c8b7d60edcfb6b1dac505 | tasks.json — 2026-03-02 | 2026-05-05 | |
| FileHash-SHA256 | a5ddfa8f2127e6f89278d7bff4cc7dec5249b284a2b9512406bdd265a4ab75ca | tasks.json — 2026-03-02 (second push) | 2026-05-05 | |
| FileHash-SHA256 | 773ece9712b6b329273710fe39df5847cc2537c2ce22ae291c9de995ce0c1a84 | tasks.json — 2026-03-13 | 2026-05-05 | |
| FileHash-SHA256 | b8dd2e60a096daff498d77c01f24b7760e2b23385089f02759b8fa6c5be371e5 | tasks.json — 2026-03-16 | 2026-05-05 | |
| FileHash-SHA256 | d8ef1fc9bc5a8eb55d1e34ea48ffc221d8f6e8c29b712c3dbf1e4e6dde43fe23 | tasks.json — 2026-03-17 | 2026-05-05 | |
| FileHash-SHA256 | 8a9f86b08e4ebca7c627ef45a9fbc98a25565e3dd581218800a9e1db4a89264b | tasks.json — 2026-03-31 | 2026-05-05 | |
| FileHash-SHA256 | 5dd771ee7565f3bc7b66af82102a9408caca6039794807fc52bd2b671bae4e8c | tasks.json — 2026-04-07 | 2026-05-05 | |
| FileHash-SHA256 | 1c1f3fcd2a0dde248f4d4060a2b1067e46377ab192a09c02a4f6a798a273ad1d | tasks.json — 2026-04-13 | 2026-05-05 | |
| FileHash-SHA256 | 5c11e97aaa968cd1d654512f473a26fa7387cb1a2f5a0cb17a96175e28fd6359 | tasks.json — 2026-04-20 | 2026-05-05 | |
| hostname | vscodesettingtask.vercel.app | first malicious stager — trojan birth domain (2026-01-27) | 2026-05-05 | |
| hostname | vscodesetting-task.vercel.app | stager rotation 2026-02-03 | 2026-05-05 | |
| hostname | vscode-settings-tasks-json.vercel.app | stager rotation 2026-02-20 | 2026-05-05 | |
| hostname | vscode-ipchecking.vercel.app | stager rotation 2026-02-23 | 2026-05-05 | |
| hostname | vscode-settings-tasks-227.vercel.app | stager rotation 2026-02-27 | 2026-05-05 | |
| hostname | vscode-ip-addess-checking.vercel.app | stager rotation 2026-03-02 (operator typo: addess) | 2026-05-05 | |
| hostname | vscode-ip-address-checking.vercel.app | stager rotation 2026-03-02 | 2026-05-05 | |
| hostname | vscode-ip-address-checking.vercel-ten.app | stager rotation 2026-03-13 (operator typo: wrong TLD) | 2026-05-05 | |
| hostname | vscode-ip-address-checking-ten.vercel.app | stager rotation 2026-03-13 | 2026-05-05 | |
| hostname | vscode-ipaddress-checking.vercel.app | stager rotation 2026-03-16 | 2026-05-05 | |
| hostname | vscode-ipaddress-checking-nine.vercel.app | stager rotation 2026-03-17 | 2026-05-05 | |
| hostname | ip-address-vscode-checking.vercel.app | stager rotation 2026-03-31 | 2026-05-05 | |
| hostname | vscode-ip-checking-nine.vercel.app | stager rotation 2026-04-07 | 2026-05-05 | |
| hostname | ip-address-check1.vercel.app.vercel.app | stager rotation 2026-04-13 (operator typo: doubled .vercel.app) | 2026-05-05 | |
| hostname | vscode-address-checking-mo.vercel.app | stager rotation 2026-04-20 | 2026-05-05 | |
| hostname | ip-address-check-mo.vercel.app | active stager rotation at interview time (2026-04-28/29) | 2026-05-05 | |
| URL | https://ip-address-check-mo.vercel.app/api/settings/linux | Stage-1 stager — Linux | 2026-05-05 | |
| URL | https://ip-address-check-mo.vercel.app/api/settings/mac | Stage-1 stager — macOS | 2026-05-05 | |
| URL | https://ip-address-check-mo.vercel.app/api/settings/windows | Stage-1 stager — Windows | 2026-05-05 | |
| hostname | y-hazel-ten.vercel.app | Stage-2 BeaverTail C2 (base64-hidden in .env AUTH_API) | 2026-05-05 | |
| URL | https://y-hazel-ten.vercel.app/api | Stage-2 RCE endpoint — response eval'd via new Function(require, response.data) | 2026-05-05 | |
| techreview1o1@outlook.com | Operator email (Novara1o1 account, 2025-12-02 ? 2026-04-07) | 2026-05-05 | ||
| hiringtecjreview@outlook.com | Operator email (deleted Projectoverview account — signed final staging commits) | 2026-05-05 | ||
| lovelysong0209@gmail.com | Operator email (deleted okada0209 account, 2025-09-12 ? 2025-12-09) | 2026-05-05 | ||
| lovelysong0209+2@gmail.com | Operator email (gmail subaddress form actually used in commits) | 2026-05-05 | ||
| URL | https://github.com/Novara1o1 | Active operator account — owner of jackpot repo (created 2026-04-20) | 2026-05-05 | |
| URL | https://github.com/Projectoverview | DELETED operator account — pushed final trojan staging commits | 2026-05-05 | |
| URL | https://github.com/okada0209 | DELETED operator account — earlier dev phase (2025-09-12 ? 2025-12-09) | 2026-05-05 | |
| URL | https://github.com/DeAngDai354 | DELETED operator account — initial commit only, display name Ivan | 2026-05-05 | |
| URL | https://github.com/Novara1o1/jackpot | Trojanized lure repo (PokerXEsports branding) | 2026-05-05 | |
| URL | https://www.linkedin.com/in/ACoAACJ0mnwB-d6r6P55oo2-P129Lor9MaMTZf0 | Recruiter persona John Armour Lamont — LURE PERSONA, not malware host | 2026-05-05 | |
| URL | https://calendly.com/intro-meeting-tech/45min | Calendly link rotation 1 — LURE SCHEDULING, not malware host | 2026-05-05 | |
| URL | https://calendly.com/introduction-tech-meeting/45min | Calendly link rotation 2 — LURE SCHEDULING, not malware host | 2026-05-05 | |
| URL | https://calendly.com/meeting-intro-tech/45min | Calendly link rotation 3 — LURE SCHEDULING, not malware host | 2026-05-05 | |
| URL | https://meet.google.com/zqz-vaeo-hmb | Interview meeting URL (ephemeral, 2026-04-29) — LURE MEETING, not malware host | 2026-05-05 |