North Korean Hackers Target VS Code with Malicious Git Repos and Extensions

Cybersecurity threats increasingly target Visual Studio Code through malicious Git repositories and extensions, with North Korean hackers using "Contagious Interview" lures to deploy backdoors and steal data. Reports highlight evolving tactics exploiting developer trust. Mitigation involves vigilance, audits, and training to safeguard workflows.
North Korean Hackers Target VS Code with Malicious Git Repos and Extensions
Written by Eric Hastings

In the ever-evolving world of cybersecurity threats, developers’ tools are becoming prime targets for sophisticated attacks. Visual Studio Code, the wildly popular code editor from Microsoft used by millions of programmers worldwide, has emerged as a favored vector for malware deployment. Recent investigations reveal how state-sponsored hackers, particularly those linked to North Korea, are exploiting its features to infiltrate systems through seemingly innocuous Git repositories. This tactic, part of a campaign dubbed “Contagious Interview,” underscores a growing trend where everyday development workflows are weaponized against users.

According to a report from Jamf Threat Labs, published on Jamf, researchers uncovered a scheme where attackers lure victims into cloning malicious repositories. These repos contain hidden scripts that leverage VS Code’s remote tunnel functionality to establish backdoors. The campaign mimics legitimate job interview processes, tricking developers into running code that grants attackers persistent access. Jamf’s analysis details how the malware uses VS Code extensions and configurations to execute payloads without raising immediate alarms, often blending in with normal developer activity.

The mechanics are insidious: once a victim opens the tainted project in VS Code, embedded commands activate, pulling in additional malicious components. This includes deploying a backdoor that communicates with command-and-control servers, potentially exfiltrating sensitive data like credentials and source code. Jamf notes that the attackers, believed to be from the Lazarus Group, have refined this approach over months, adapting to detection methods and expanding their reach across platforms.

The Rise of Tool Exploitation in Development Environments

Expanding on this, other cybersecurity firms have documented similar abuses. For instance, The Hacker News reported in December 2025 about malicious VS Code extensions and packages in ecosystems like Go, npm, and Rust that steal developer data through hidden payloads. These extensions, often disguised as productivity tools, embed code that captures screenshots, Wi-Fi passwords, and browser cookies, as detailed in their article on The Hacker News. The report highlights how attackers exploit the trust developers place in open-source marketplaces.

Infosecurity Magazine echoed these concerns, revealing a campaign involving 19 malicious VS Code extensions that used legitimate npm packages to hide malware in dependency folders. Published in December 2025, the piece on Infosecurity Magazine explains how these extensions initiate multi-stage attacks, leading to credential theft and remote access. The attackers’ strategy relies on the automatic installation and updating features of VS Code, which can propagate malware swiftly across teams.

Visual Studio Magazine has also tracked this pattern, noting in a December 2025 article that threat actors continue to weaponize extensions, with incidents like a fake Prettier extension demonstrating a path from installation to full system compromise. Their coverage on Visual Studio Magazine emphasizes the multi-stage nature, where initial infections evolve into persistent threats, often evading traditional antivirus software.

North Korean Fingerprints and Global Implications

Delving deeper into the Contagious Interview campaign, Jamf’s findings link it directly to North Korean operatives, who have a history of targeting tech professionals for espionage and financial gain. The attackers pose as recruiters, sending GitHub links to “interview tasks” that, when cloned and opened in VS Code, trigger the exploit. This method exploits the editor’s integration with Git, allowing seamless execution of malicious .vscode settings files.

Posts on X (formerly Twitter) from cybersecurity accounts reflect growing alarm. Users have shared instances of VS Code being abused for remote tunneling in phishing schemes, with one post noting how hackers weaponize it for cyber espionage. Another highlighted ransomware capabilities embedded in extensions, pointing to hardcoded credentials that could be exploited by anyone. These social media discussions, dating back to 2023 but surging in late 2025, illustrate a community grappling with the tool’s dual-edged nature.

Hunt.io provided a technical breakdown in December 2025 of a fake VS Code extension that deploys the Anivia loader and OctoRAT in a multi-stage chain. Their blog on Hunt.io describes how the extension initiates contact with attacker-controlled servers, enabling data exfiltration and command execution. This aligns with Jamf’s observations, showing a pattern where VS Code’s extensibility becomes a liability.

Evolving Tactics and Supply Chain Vulnerabilities

Checkmarx has been proactive in exposing these threats, detailing in a November 2025 post how they coordinate with Microsoft to remove malicious extensions from the marketplace. Their article on Checkmarx reveals tactics like brand impersonation and payload staging, urging application security teams to scrutinize IDE ecosystems beyond just libraries.

Looking ahead to 2026, trends suggest an escalation. Cyble’s analysis of new ransomware groups in 2025 predicts that tool-based attacks will dominate, with VS Code forks recommending unclaimed extensions on platforms like Open VSX creating supply chain risks. Their report on Cyble warns of AI-driven enhancements making these exploits harder to detect.

Talos Intelligence’s predictions for 2026, published recently, highlight AI risks and persistent vulnerabilities in developer tools. In their blog on Talos Intelligence, experts foresee threat actors refining VS Code abuses, incorporating prompt injection and social engineering to bypass defenses.

Defensive Strategies for Developers and Organizations

To counter these threats, experts recommend vigilance in repository handling. Jamf advises disabling automatic extension installations and verifying Git sources before cloning. Regular audits of VS Code configurations can reveal anomalies, such as unexpected remote tunnels or unfamiliar extensions.

Organizations should implement endpoint detection and response (EDR) tools tuned for developer environments, as traditional security might overlook VS Code’s behaviors. Training programs emphasizing phishing awareness, especially job-related lures, are crucial, given the Contagious Interview’s success.

Microsoft has responded by enhancing marketplace scrutiny, but gaps remain. The Hacker News also covered forks of VS Code recommending missing extensions, leading to malicious uploads, as noted in a January 2026 update. This points to the need for better verification in open registries.

Broader Ecosystem Risks and Mitigation Innovations

The abuse extends beyond VS Code to related tools. Western Illinois University’s Cybersecurity Center reported in January 2026 on flaws in Anthropic’s MCP Git server allowing file access and code execution via prompt injection. Their news page on Western Illinois University connects this to wider AI-assisted attacks, where malicious README files influence behaviors.

Social media chatter on X amplifies these concerns, with posts discussing LinkedIn-based phishing spreading RAT malware through DLL sideloading, often tied to VS Code workflows. Users warn of the ease with which attackers hide C2 communications in GitHub, a tactic seen in multiple campaigns.

Innovative defenses are emerging. Some firms advocate for sandboxed development environments, isolating VS Code instances to contain potential breaches. Open-source projects are developing plugins that scan extensions for malicious code before activation.

The Human Element in Cyber Defense

At its core, these attacks exploit human trust. Developers, eager to collaborate or advance careers, may overlook red flags in repositories. Jamf’s report stresses education as a frontline defense, recommending peer reviews of code before execution.

Regulatory bodies are taking note. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added vulnerabilities like CVE-2026-20805 to its known exploited list, as covered in The Register’s January 2026 patch analysis on The Register. This flaw, affecting Windows, could compound VS Code risks in enterprise settings.

Microsoft’s own updates, such as the January 2026 security patch causing Remote Desktop issues, highlight the challenges of balancing security and usability, per Cyberpress’s coverage on Cyberpress.

Future-Proofing Against Adaptive Threats

As 2026 unfolds, the focus shifts to proactive measures. Integrating AI for anomaly detection in VS Code could preempt attacks, though irony abounds in using AI against AI-enhanced threats.

Collaboration between tech giants and security researchers is key. Initiatives like those from Checkmarx demonstrate how takedowns can disrupt campaigns, but sustained efforts are needed.

Ultimately, the abuse of VS Code serves as a wake-up call for the development community. By treating tools as potential threats and fostering a culture of skepticism, the industry can mitigate these risks and safeguard innovation.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us