BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware Activity
Summary
Hide ▲
Show ▼
North Korean threat actors tied to Contagious Interview are running the PolinRider malware activity across 108 unique packages and browser extensions on npm, Packagist, Go, and Google Chrome. The activity has compromised 1,951 public GitHub repositories tied to 1,047 unique owners as of April 11, 2026, and uses malicious VS Code task files, compromised maintainer access, and Git history rewriting to trigger JavaScript execution and hide changes. The latest payload chain reaches blockchain infrastructure including TRON, Aptos, and BNB Smart Chain and can unpack to DEV#POPPER RAT and OmniStealer. Public reporting also links the operation to BeaverTail delivery through obfuscated JavaScript loaders in public GitHub repositories.
Related Happenings
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
How related:
The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider.
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignHow related: The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider.
About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
Timeline
-
22.04.2026 17:48 2 articles · 2mo ago
Contagious Interview becomes self-propagating supply chain malware
Campaign Scope UpdateNorth Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.
Show sources
- DPRK Fake Job Scams Self-Propagate in 'Contagious Interview' — www.darkreading.com — 22.04.2026 17:48
- North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign — thehackernews.com — 04.07.2026 14:17
-
20.01.2026 20:41 4 articles · 5mo ago
Contagious Interview uses malicious VS Code projects for backdoor delivery
Initial DisclosureNorth Korean threat actors tied to Contagious Interview used malicious Microsoft Visual Studio Code (VS Code) projects to lure developers into opening Git repositories that abuse task configuration files, including `tasks.json` and `runOn: folderOpen`, to fetch JavaScript from Vercel-hosted infrastructure and deploy backdoors on compromised endpoints. The activity includes the delivery of BeaverTail and InvisibleFerret, a macOS path that uses `nohup bash -c` and `curl -s` to pipe JavaScript into the Node.js runtime, and related variants that fall back to `grayavatar`, Tsunami (aka TsunamiKit), XMRig, and AnyDesk.
Show sources
- North Korea-Linked Hackers Target Developers via Malicious VS Code Projects — thehackernews.com — 20.01.2026 20:41
- North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews — thehackernews.com — 21.01.2026 19:17
- DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies — thehackernews.com — 10.02.2026 19:44
- Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware — thehackernews.com — 26.02.2026 12:35
-
16.10.2025 17:56 1 articles · 8mo ago
UNC5342 adopts EtherHiding for Contagious Interview delivery
Technical Analysis UpdateGoogle Threat Intelligence Group attributed UNC5342, a North Korean threat cluster also tracked as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, and Void Dokkaebi, with using EtherHiding since February 2025 to distribute malware and enable cryptocurrency theft through BNB Smart Chain (BSC) or Ethereum smart contracts, alongside the Contagious Interview chain that uses npm packages, BeaverTail, JADESNOW, and InvisibleFerret against Windows, macOS, and Linux systems.
Show sources
- North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts — thehackernews.com — 16.10.2025 17:56