New DPRK Contagious Interview Campaign: “Fake Font” Uses Malicious VSCode Fonts
Contents
New DPRK Contagious Interview Campaign: “Fake Font” Uses Malicious VSCode Fonts
North Korean Lazarus Group creates new version of Contagious Interview that uses VS Code tasks to lauch malware hiding in fake fonts
Paul McCarty
January 28, 2026
20 min read
fake-font
github
vscode
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Fake Fonts deliver malware
The OpenSourceMalware research team has identified a new variation of the "Contagious Interview" campaign that uses malicious Microsoft VS Code tasks files to spread the associated malware. This campaign started over 100 days ago, but has ramped up dramatically in the last two weeks. So far we've identified 17 repositories that are involved, with 11 different variants of the attack chain.
TL;DR
North Korean threat actors (Lazarus Group) continue to target software engineers with sophisticated supply chain attacks through fake job interviews. The latest attack chain weaponizes the VS Code's task automation feature to execute JavaScript malware disguised as web fonts. This "Fake Font" campaign delivers a multi-stage loader that ultimately deploys the …
North Korean Lazarus Group creates new version of Contagious Interview that uses VS Code tasks to lauch malware hiding in fake fonts
Paul McCarty
January 28, 2026
20 min read
fake-font
github
vscode
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Fake Fonts deliver malware
The OpenSourceMalware research team has identified a new variation of the "Contagious Interview" campaign that uses malicious Microsoft VS Code tasks files to spread the associated malware. This campaign started over 100 days ago, but has ramped up dramatically in the last two weeks. So far we've identified 17 repositories that are involved, with 11 different variants of the attack chain.
TL;DR
North Korean threat actors (Lazarus Group) continue to target software engineers with sophisticated supply chain attacks through fake job interviews. The latest attack chain weaponizes the VS Code's task automation feature to execute JavaScript malware disguised as web fonts. This "Fake Font" campaign delivers a multi-stage loader that ultimately deploys the …