North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware

North Korean hackers have found a new way to hide malware inside the tools that software developers rely on every single day. Instead of sending phishing emails or planting fake links, they are now burying malicious code deep inside Git hooks — small automated scripts that run automatically whenever a developer interacts with a code repository.

The campaign is a fresh evolution of a long-running operation known as Contagious Interview, linked to North Korea’s Lazarus Group. Attackers pose as fake recruiters on platforms like LinkedIn and reach out to software developers with promises of a legitimate job opportunity.

Victims are handed a coding assessment hosted on a GitHub repository, and once they clone that repo, the trap is already set in motion.

Researchers at OpenSourceMalware identified this technique and found that the malicious script is tucked inside the repository’s .githooks directory, specifically as a pre-commit hook. This means the payload fires the moment a developer tries to commit code — before the commit object is even written.

Most developers never question a repository received as part of a job test, which is exactly what makes this attack so difficult to detect in time.

Git Hooks as a Stealth Delivery Channel

The malware is built to work across multiple operating systems at once. Once triggered, the hook script checks what system the victim is running, then silently contacts a remote server to pull down the right payload.

Windows users receive one version, while macOS and Linux users get another. The goal stays the same across all platforms: steal crypto wallets, harvest sensitive credentials, and establish persistent access to the victim’s machine on behalf of the attacker.

Git hooks are a built-in feature of Git, the version control system used by practically every developer in the world. They are scripts that run automatically at certain points in the development process. In legitimate use, teams deploy them to enforce code quality checks before a commit goes through.

In this attack, the Lazarus Group plants a malicious pre-commit hook inside the repository handed to job candidates. The script is intentionally short and looks completely unremarkable on the surface. When a developer tries to make a change, the hook runs silently in the background, fingerprints the operating system, and contacts a remote server at a domain designed to look tied to legitimate developer infrastructure.

That server delivers a different payload depending on the victim’s system. On macOS and Linux, it serves a shell script. On Windows, it delivers a batch-compatible payload. Both versions install implants capable of stealing credentials, draining crypto wallets, and reporting back to the operators — all while the commit appears to succeed without any issue.

Cross-Platform Malware and Persistence

What makes this campaign stand out is how cleanly it runs across multiple platforms. Most malware is built with one operating system in mind, but this attack delivers a tailored payload to macOS, Linux, and Windows users from a single entry point. That level of flexibility points to an experienced, well-resourced group that invests heavily in keeping its campaigns active.

The implants delivered in this campaign belong to malware families the Lazarus Group has used in earlier operations, including BeaverTail and InvisibleFerret. These tools support keylogging, remote access, browser data theft, and file exfiltration. Researchers have also noted the use of post-checkout hooks, which fire every time a developer switches branches, giving the malware multiple chances to re-execute without any visible user action.

Developers and security teams can take concrete steps to reduce their exposure. Any repository received through a job process or from an unfamiliar source should be treated as hostile until verified. Inspecting the .githooks directory before opening a project, running unknown repositories inside isolated virtual machines with no saved credentials, and adopting organization-wide Git hook inspection policies are all meaningful defenses. Reporting suspicious pre-commit hook patterns to threat intelligence platforms also helps the wider security community respond much faster.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	precommit[.]vercel[.]app	C2 server hosting per-platform malware payloads; used to serve shell scripts and batch payloads to macOS/Linux and Windows victims
URL	https://precommit[.]vercel[.]app/percival[.]macflag	macOS/Linux payload delivery endpoint
URL	https://precommit[.]vercel[.]app/minimal[.]macflag	macOS/Linux minimal payload endpoint
URL	https://precommit[.]vercel[.]app/winds[.]cmd	Windows payload delivery endpoint
File	.githooks/pre-commit	Malicious pre-commit hook script placed in cloned repository to trigger payload download
GitHub Repo	github[.]com/precommit[.]vercel[.]app/percival[.]checkout[.]maclag	Multiple-repo frequent query (GitHubCode search)
File Hash	7ECFCCF (partial, commit-linked)	Identical pre-commit hook committed to several GitHub repositories following the Contagious Interview lure pattern

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware appeared first on Cyber Security News.