Jai Vijayan, Contributing Writer January 21, 2026 3 Min Read Source: Stokkete via Shutterstock The North Korean threat actors behind the Contagious Interview campaign are employing a new mechanism that uses Microsoft Visual Studio Code to deliver a previously unseen backdoor that enables remote code execution on developer systems. Jamf Threat Labs discovered the latest infection method earlier this week and described it in a report as the most recent evolution in an ongoing campaign that has targeted software developers and others through fraudulent job recruitment schemes since at least late 2023 . Blending in With Developer Workflows As with earlier iterations, the new delivery mechanism is designed to blend seamlessly into legitimate developer workflows. The attack chain starts when targets are asked to clone and open malicious repositories hosted on GitHub or GitLab, typically framed as part of a technical assignment or code review exercise related to the hiring process. When a developer opens one of these projects in Visual Studio Code, the application prompts them to trust the repository's author. If the victim grants that trust, Visual Studio Code automatically processes a malicious configuration file embedded in the project that results in arbitrary commands being executed on the victim's system without any further user interaction. Victims who open the malicious project on a system running macOS end up triggering a hidden command that runs invisibly in the background, then downloads and immediately runs a JavaScript file using Node.js. The code keeps running even if Visual Studio Code is closed and produces no visible output, making the activity hard for the user to notice, Jamf said. In comments to Dark Reading, Jaron Bradley, director of Jamf Threat Labs, says the approach of hosting malicious repos on these repositories appears to have become quite common for the operators of the Contagious Interview campaign. "In this case, Jamf saw the repository online for at least two weeks before it was removed," which is on par for such repos, he says. A New Payload This is the first time that Jamf has seen the particular payload the attackers are delivering via the new approach. "It is different in that it's written entirely in JavaScript," Bradley notes. The attackers are using various social engineering tactics to lure their victims and appear to be focusing on individuals who are already familiar with Node development in this particular case, he adds. Contagious Interview is a data theft campaign that security researchers have attributed with a high degree of confidence to North Korean threat actors. Unlike traditional phishing schemes, Contagious Interview operators have posed as recruiters or job candidates on LinkedIn and developer platforms and used hiring interactions that appear legitimate to deliver malware to victim systems. The campaign primarily targets software developers and IT professionals, especially in high-value areas such as blockchain , cryptocurrency , and emerging technologies, with macOS users being a favorite target. The group's motives appear to be a mix of espionage, initial access brokerage, and financial gain. Vendors tracking Contagious Interview have described its operators as constantly evolving their operation via new malware families with names like " Ferret " and " BeaverTail ," new hosting infrastructure, and even deepfake-enabled job interviews. "This threat actor primarily targets developer systems involved in cryptocurrency and blockchain projects," Bradely says. "They typically deploy infostealers that rapidly extract credentials and other sensitive information, enabling the attacker to impersonate the developer or gain unauthorized access to related systems." Jamf's recommendation to developers is that they exercise caution when interacting with third-party repos, especially those involving third parties. Deverlopers also need to review the contents of a repository before marking it as trusted in Visual Studio Code. "Similarly," Jfrog said in its report, "'npm install' should only be run on projects that have been vetted, with particular attention paid to package.json files, install scripts, and task configuration files to help avoid unintentionally executing malicious code." About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan, Contributing Writer