DPRK-attributed Contagious Interview operators are using fake recruitment and code-review projects to target software developers through GitHub-hosted repositories. The infection vector abuses Visual Studio Code workspace tasks, especially .vscode/tasks.json with runOn folderOpen, so shell commands can execute after a victim trusts and opens the project. The chain is tied to BeaverTail and InvisibleFerret deployment and overlaps with prior campaign patterns such as Vercel and Render payload hosting, JSON Keeper-style staging, and malicious NPM dependencies. The report documents hunting methods and variants including curl or wget downloaders, whitespace-padded task commands, and Node.js execution of disguised payloads stored as .dict, .woff2, .jpeg, or .svg files.