Sophos CTU reports that NICKEL ALLEY, a North Korean government-linked group, continued Contagious Interview operations against technology professionals through fake companies, fake jobs, malicious GitHub repositories, and developer assessment lures. Since at least mid-2025, the group has used ClickFix-style prompts that tell victims to run local commands which download archives from attacker-controlled domains, execute VBScript, and launch PyLangGhost RAT through a renamed Python binary. PyLangGhost supports file exfiltration, arbitrary command execution, system profiling, browser credential and cookie theft, and targeting of Chrome cryptocurrency wallet extension data, aligning with the campaign’s financial motivation. Sophos also observed GitHub and npm-based developer infection paths, including BeaverTail retrieval via Vercel-hosted payloads and VS Code tasks configured to run curl or wget commands when a project folder is opened.