Threat actors behind the campaign are abusing Microsoft Visual Studio Code’s trusted workflows to execute and persist malicious code.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

The Contagious Interview campaign has evolved to weaponize VS Code by embedding malicious code in tasks.json configuration files. When developers open and trust a repository, hidden commands automatically execute JavaScript payloads from remote servers, establishing persistent backdoors. Attackers use social engineering tactics like fake interview assignments to trick developers into cloning malicious Git repositories. The backdoor persists even after VS Code is closed, and attackers often host payloads on legitimate platforms like Vercel to evade detection. Security researchers recommend carefully reviewing repository contents before marking them as trusted and vetting package.json files before running npm install.

Contagious Interview turns VS Code into an attack vector