MICROSOFT Defender Experts has observed the Contagious Interview campaign, a sophisticated social engineering operation active since at least December 2022, with ongoing detections in recent customer environments. The threat targets software developers at enterprise solution providers and media and communications firms by abusing trust in recruitment workflows.
Initial access is often achieved through convincingly staged recruitment processes, including recruiter outreach, technical discussions, assignments, and follow-ups that lead victims to run malicious packages or commands. The attack chain involves users cloning and executing an NPM package from code hosting platforms such as GitHub, GitLab, or Bitbucket, which then loads a follow-on payload and deploys a backdoor in the background, sometimes via Visual Studio Code workflows.
Witnessed backdoors in this campaign include Invisible Ferret, BeaverTail, and FlexibleFerret, with Invisible Ferret now predominantly deployed as a follow-on payload and Python-based, enabling remote command execution, extended reconnaissance, and persistence. Defenders are urged to treat recruitment workflows as attack surfaces, to use isolated interview environments, monitor developer endpoints and build tools, and watch for suspicious repository activity and dependency execution patterns.