Tracking the VS Code Tasks Infection Vector

Jan. 23, 2026, 11:04 a.m.

Description

The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.

External References

https://www.abstract.security/blog/contagious-interview-tracking-the-vs-code-tasks-infection-vector#appendix-indicators
https://otx.alienvault.com/pulse/697349c8d32812c0e5094e4d
Tags
obfuscation
north korea
npm
github
beavertail
contagious interview
vs code
invisibleferret
software developers
2026-01-23
recruitment schemes
task files

Date

  • Created: Jan. 23, 2026, 10:13 a.m.
  • Published: Jan. 23, 2026, 10:13 a.m.
  • Modified: Jan. 23, 2026, 11:04 a.m.

Indicators

  • www.vscodeconfig.com
  • https://www.regioncheck.xyz/settings/mac?flag=8'
  • https://www.regioncheck.xyz/settings/linux?flag=8'
  • www.regioncheck.xyz
  • https://www.regioncheck.xyz/settings/windows?flag=8
  • https://www.jsonkeeper.com/b/QJZCG
Download all indicators here!

Attack Patterns

  • BeaverTail
  • InvisibleFerret
  • Lazarus Group

Additional Informations

  • brantwork.vercel.app
  • vscodesettingstask.vercel.app
  • task-hrec.vercel.app
  • tailwind-version-four.vercel.app
  • thopywork.vercel.app
  • vscode-project-setting.vercel.app
  • vscode-config-settings.vercel.app
  • api-server-mocha.vercel.app
  • isvalid-regions.vercel.app
  • vscode-load-config.vercel.app
  • codeviewer-three.vercel.app
  • codeviewer-fawn.vercel.app
  • vscode-settings-bootstrap.vercel.app
  • vscode-bootstrapper.vercel.app
  • coreviewer.vercel.app
  • editorsettings.vercel.app
  • vscode-config.vercel.app
  • vscode-settings-config.vercel.app
  • isvalid-region.vercel.app
  • vscode-helper-132.vercel.app
  • jerryfox-platform.vercel.app
  • vscode-helper171-ruby.vercel.app
  • vscode-config-setting.vercel.app
  • vscode-helper171.vercel.app
  • vscode-load.onrender.com
  • vscode-toolkit-bootstrap.vercel.app
  • vscode-lnc.vercel.app