"The end goal of these efforts is to abuse VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host. The task is configured such that it runs every time that file or any other file in the project folder is opened in VS Code by setting the "runOn: folderOpen" option. This ultimately leads to the deployment of BeaverTail and InvisibleFerret."
"Subsequent iterations of the campaign have been found to conceal sophisticated multi-stage droppers in task configuration files by disguising the malware as harmless spell-check dictionaries as a fallback mechanism in the event the task is unable to retrieve the payload from the Vercel domain. Like before, the obfuscated JavaScript embedded with these files is executed as soon as the victim opens the project in the integrated development environment (IDE). It establishes communication with a remote server ("ip-regions-check.vercel[.]app") and executes any JavaScript code received from it."
North Korean threat actors tied to the Contagious Interview campaign use malicious Microsoft Visual Studio Code projects as lures to deliver backdoor implants to compromised endpoints. Targets are instructed to clone repositories from GitHub, GitLab, or Bitbucket and open the projects in VS Code under the pretense of a job assessment. Attackers abuse VS Code task configuration files by setting runOn: folderOpen so tasks execute whenever a file or folder is opened, triggering payload retrieval from Vercel-hosted domains. The operation stages obfuscated JavaScript that connects to ip-regions-check.vercel[.]app and executes any JavaScript returned, ultimately deploying BeaverTail and InvisibleFerret backdoors. Later variants embed multi-stage droppers disguised as spell-check dictionaries as a fallback if Vercel-hosted payloads cannot be fetched. The tactic was first observed in December 2025 and has continued to evolve.
#north-korean-threat-actors #vs-code-task-abuse #vercel-hosted-payloads #beavertail--invisibleferret
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]