Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains - Part 1

Feb. 27, 2026, 10 a.m.

Description

This intelligence report details the evolution of malware delivery techniques targeting integrated development environments (IDEs) like Visual Studio Code and Cursor. The threat actors, known as Contagious Interview, have expanded their payload staging methods to include GitHub Gists, URL shorteners, Google Drive, and custom domains. New infection chains involve complex loaders, including a custom stack-based bytecode VM and PyArmor-protected Python malware. The report highlights the actors' adaptability in response to takedowns and community reporting, showcasing their use of various obfuscation techniques and masquerading tactics. Detection opportunities and indicators of compromise are provided, including suspicious process behaviors, file paths, and network requests.

External References

https://otx.alienvault.com/pulse/69a16400e81050e6038ad281
https://www.abstract.security/blog/contagious-interview-evolution-of-vscode-and-cursor-tasks-infection-chains
Tags
obfuscation
beavertail
visual studio code
payload staging
weaselstore
url shorteners
pyarmor
2026-02-27
bytecode vm
cursor
github gists
ide

Date

  • Created: Feb. 27, 2026, 9:29 a.m.
  • Published: Feb. 27, 2026, 9:29 a.m.
  • Modified: Feb. 27, 2026, 10 a.m.

Indicators

  • https://nomgwenya.co.za/js/settings?win=32
  • https://camdriver.pro/realtekwin.update?r=7205d529-ff14-4dcf-965b-29d500663a75
  • https://postprocesser.com/.well-known/pki-validation/go/python3.zip
  • https://camdriver.pro/realtekmac.sh?r=7205d529-ff14-4dcf-965b-29d500663a75
  • https://camdriver.pro/realtekwin.update?r=ffa752c6-84e9-4bb9-b3c8-a3ab09cbcbe6
  • https://nomgwenya.co.za/js/bootstrap?win=32
Download all indicators here!

Attack Patterns

  • WeaselStore
  • BeaverTail
  • Contagious Interview

Additional Informations

  • Finance
  • Technologies
  • postprocesser.com
  • nomgwenya.co.za
  • camdriver.pro