Find notable cyber news and cases, enriched with sources, timelines, and signals.

BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse

Malware Activity
First reported
Last updated
Happening score
H score 39
2 unique sources, 7 articles

Summary

Hide ▲

North Korean threat actors tied to Contagious Interview are running the PolinRider malware activity across 108 unique packages and browser extensions on npm, Packagist, Go, and Google Chrome. The activity has compromised 1,951 public GitHub repositories tied to 1,047 unique owners as of April 11, 2026, and uses malicious VS Code task files, compromised maintainer access, and Git history rewriting to trigger JavaScript execution and hide changes. The latest payload chain reaches blockchain infrastructure including TRON, Aptos, and BNB Smart Chain and can unpack to DEV#POPPER RAT and OmniStealer. Public reporting also links the operation to BeaverTail delivery through obfuscated JavaScript loaders in public GitHub repositories.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

How related: The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider.

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret

Campaign
H score9 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...

Timeline

  1. 22.04.2026 17:48 2 articles · 2mo ago

    Contagious Interview becomes self-propagating supply chain malware

    Campaign Scope Update

    North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.

    Show sources
  2. 20.01.2026 20:41 4 articles · 5mo ago

    Contagious Interview uses malicious VS Code projects for backdoor delivery

    Initial Disclosure

    North Korean threat actors tied to Contagious Interview used malicious Microsoft Visual Studio Code (VS Code) projects to lure developers into opening Git repositories that abuse task configuration files, including `tasks.json` and `runOn: folderOpen`, to fetch JavaScript from Vercel-hosted infrastructure and deploy backdoors on compromised endpoints. The activity includes the delivery of BeaverTail and InvisibleFerret, a macOS path that uses `nohup bash -c` and `curl -s` to pipe JavaScript into the Node.js runtime, and related variants that fall back to `grayavatar`, Tsunami (aka TsunamiKit), XMRig, and AnyDesk.

    Show sources
  3. 16.10.2025 17:56 1 articles · 8mo ago

    UNC5342 adopts EtherHiding for Contagious Interview delivery

    Technical Analysis Update

    Google Threat Intelligence Group attributed UNC5342, a North Korean threat cluster also tracked as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi, with using EtherHiding since February 2025 to distribute malware and enable cryptocurrency theft through BNB Smart Chain (BSC) or Ethereum smart contracts, alongside the Contagious Interview chain that uses npm packages, BeaverTail, JADESNOW, and InvisibleFerret against Windows, macOS, and Linux systems.

    Show sources