North Korean Hackers Use Code Abuse Techniques in “Contagious Interview” Campaign

North Korean threat actors have escalated their targeting of software developers through a sophisticated social engineering campaign dubbed “Contagious Interview,” leveraging malicious code repositories embedded with dual-layer malware.

Security researchers have attributed the campaign to DPRK threat actors with high confidence following forensic analysis of a malicious Bitbucket repository (0xmvptechlab/ctrading) that employs VS Code task hijacking and npm application hooks to compromise developer environments.

Dual-Stack Infection Architecture

The attack employs a two-tier payload structure combining Node.js and Python components for maximum impact. The Node.js layer executes immediately upon infection, stealing credentials, logging keystrokes, and establishing a covert Remote Access Trojan (RAT) within the hidden .npm directory.

Once initial access is secured, the Node.js controller downloads a Python stager that deploys secondary infrastructure for long-term surveillance, cryptocurrency wallet theft, and cryptographic mining operations.

This architectural design ensures persistence across system reboots and user sessions while maintaining operational flexibility for attackers.

The infection vector typically involves a malicious repository distributed as a “take-home” technical assessment via LinkedIn, or alternatively presented as a code review request when targeting security researchers and company developers.

Threat actors leverage compromised or fabricated profiles with high follower counts to impersonate recruiters and business developers from established organizations like “Meta2140,” creating false legitimacy.

Notably, victims became infected simply by cloning repositories without executing code. VS Code’s “Trusted Workspace” feature automatically triggered malicious tasks during code inspection.

Researchers documented three separate victims within the past month, each approached through identical social engineering tactics and suffering significant financial losses.

The malicious repository’s GitHub commit history consistently pointed to KST+9 (Korean Standard Time) timezone settings, strengthening attribution.

Commit data identified the attacker as “Pietro” (GitHub: pietroETH) with associated email addresses onepiece0989753@gmail.com, williammorphy37@gmail.com, and shinobi.design416@gmail.com.

This identity cluster connects to prior DPRK IT worker campaigns developing the fraudulent project “Ultra-X,” enabling moderate-to-high confidence attribution to known DPRK threat actors active since early 2024.

The Python-based malware is an InvisibleFerret variant, while the Node.js layer uses BeaverTail, both well-known DPRK tools.

Radar Security researchers documented all filesystem artifacts and provided detection methods; however, persistence modules remain broken on non-Windows platforms, limiting impact outside Windows environments.

Organizations should implement VS Code hardening controls immediately, turn off automatic task execution, and enforce workspace trust verification to defend against this persistent threat.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post North Korean Hackers Use Code Abuse Techniques in “Contagious Interview” Campaign appeared first on Cyber Security News.