Security Alliance analyzes a malicious Bitbucket repository tied to the DPRK Contagious Interview campaign that targets developers through fake recruiting and partnership lures. The repository can execute malware when opened as a trusted VS Code workspace via a folderOpen task, with a fallback application hook that fetches code from chainlink-api-v3.com and executes it through Function.constructor. The Node.js BeaverTail layer steals credentials, browser and wallet data, screenshots, clipboard contents, and enables command execution, while a Python InvisibleFerret layer supports longer-term surveillance, wallet theft, and mining. Reported infrastructure and artifacts include 172.86.116.178, the ctrading repository, hidden staging under ~/.n3/, extension database theft, and commit metadata using a KST+9 timezone. The case matters because merely inspecting attacker-supplied code in VS Code can trigger compromise before a developer intentionally runs the project.