Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2
2026-03-09 • Abstract Security •
Abstract Security tracks continued Contagious Interview abuse of VS Code and Cursor automated tasks to deploy WeaselStore malware, including the Windows PylangGhost and macOS GolangGhost variants. The Windows chain uses a PowerShell script posing as an NVIDIA CUDA Toolkit update, while the macOS chain uses shell scripts and Golang payloads staged from attacker infrastructure. The campaign targets developers through interview-style workflows and shows cross-platform payload delivery, credential-theft objectives, and repeated abuse of trusted developer tooling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://ip-checking-notificatio… | 2026-03-09 | 2026-03-09 |
| IPv4 | 23.227.203.99 | 2026-03-09 | 2026-03-09 |
| IPv4 | 144.172.115.189 | 2026-03-09 | 2026-03-09 |
Related Actors
Related Reports
2026-02-25 •
70% Match
Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains - Part 1
Abstract Security
Shares tags: ContagiousInterview, VSCode • Same author: Abstract Security • Published within a month
Shares tags: ContagiousInterview, PylangGhost • Published within a month
Shares tags: ContagiousInterview, VSCode • Published within a month
Shares tags: ContagiousInterview, VSCode • Published within a month
Shares tags: ContagiousInterview, VSCode • Published within a week
Shares tags: ContagiousInterview, VSCode • Published within a week