ACCORDING to LAZARUS, the DPRK Contagious Interview campaign represents a mature evolution of intrusion tradecraft that weaponises legitimate hiring workflows to induce execution of malicious code within trusted developer environments. The campaign targets software developers and technical personnel through fraudulent job interview processes conducted across platforms such as GitHub, LinkedIn, and direct messaging channels, with victims invited to clone and run repositories framed as coding challenges.
These repositories contain embedded payloads designed to harvest credentials, extract session tokens, and enable rapid lateral movement into enterprise environments, often bypassing multi-factor authentication and evading endpoint detection. A key feature is the abuse of Visual Studio Code task automation, where malicious .vscode/tasks[.]json configurations trigger execution automatically upon opening the project.
The operation emphasises credential-centric objectives, including harvesting browser credentials, Git access tokens, SSH keys, and cloud credentials, to pivot into repositories, cloud control planes, or internal systems within minutes.