New DPRK Malware Uses Microsoft VSCode Dictionary Files
Contents
New DPRK Malware Uses Microsoft VSCode Dictionary Files
North Korean threat actors are hiding multi-stage malware droppers in VSCode configuration files, disguised as spell-check dictionaries, to compromise developers through fake job interviews and establish persistent backdoors with remote code execution capabilities.
Paul McCarty
December 23, 2025
12 min read
npm
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Malicious Dictionary
The OpenSourceMalware team has identified a new variation of the “Contagious-Interview” campaign. This is similar to the one we reported on in mid December, but is more portable as the second stage payload is embedded in a file in the source repository. Both of these latest campaigns take advantage of Microsoft VSCode tasks functionality to automatically infect developers that open the source code in VSCode. A tasks.json file included in the source code repository is the initial infection vector.
Executive Summary
North Korean APT actors are hiding sophisticated multi-stage droppers in Visual Studio Code configuration files, specifically targeting developers through the ongoing "Contagious Interview" campaign. The malware …
North Korean threat actors are hiding multi-stage malware droppers in VSCode configuration files, disguised as spell-check dictionaries, to compromise developers through fake job interviews and establish persistent backdoors with remote code execution capabilities.
Paul McCarty
December 23, 2025
12 min read
npm
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Malicious Dictionary
The OpenSourceMalware team has identified a new variation of the “Contagious-Interview” campaign. This is similar to the one we reported on in mid December, but is more portable as the second stage payload is embedded in a file in the source repository. Both of these latest campaigns take advantage of Microsoft VSCode tasks functionality to automatically infect developers that open the source code in VSCode. A tasks.json file included in the source code repository is the initial infection vector.
Executive Summary
North Korean APT actors are hiding sophisticated multi-stage droppers in Visual Studio Code configuration files, specifically targeting developers through the ongoing "Contagious Interview" campaign. The malware …