DPRK-linked Contagious Interview activity is targeting cryptocurrency developers and blockchain companies through fake job interviews, poisoned GitHub repositories, and malicious npm packages. The report describes a multi-stage infection chain that abuses VS Code and Cursor configuration, git hooks, npm lifecycle scripts, and hidden JavaScript payloads to execute malware when developers open project folders. The latest BeaverTail RAT build shifts from automatic theft to operator-directed WebSocket control, using commands such as ss_eval64 for in-memory JavaScript execution and ss_connect for live C2 redirection. Persistence now relies on injecting loader code into application files for VS Code, Cursor, Antigravity IDE, Discord, and GitHub Desktop, while prior Python InvisibleFerret and OtterCookie-style modules are absent.