Abstract’s threat research team (ASTRO) just published original research documenting fresh evolutions in the Contagious Interview campaign, a North Korea-linked operation (broadly attributed to Lazarus Group) which targets software developers, specifically those in DeFi and crypto industries.
This is a follow-up to ASTRO’s prior reporting on IDE task auto-execution abuse in January, and it captures attacker behavior changes observed in the last 1–2 weeks that have not yet appeared in public write-ups.
3 specific evolutions ASTRO is breaking:
- URL shorteners as Vercel obfuscation. Actors are now routing malicious payloads through short[.]gy shortened URLs that resolve to the same Vercel infrastructure previously reported. The change suggests deliberate fingerprint reduction in response to prior public reporting — a direct reaction to defenders and researchers (including ASTRO’s earlier work).
- GitHub Gists with convincing NVIDIA/CUDA impersonation. Payloads are now being staged on GitHub Gists under a username (cuda-toolkit) and filenames (cuda_toolkit_sim_v12.4.ps1, metal_pytorch_sim_v2.3.0.sh) designed to mimic legitimate NVIDIA software. The gists were live briefly and then deleted — a rapid deploy-and-destroy pattern that makes detection harder and timeliness of publication critical.
- Google Drive payload delivery with a confirm= fallback bypass. A malicious NPM package (eslint-validator) pulls its payload from Google Drive, with code that specifically handles Google’s virus-scan warning interstitial by falling back to a drive.usercontent.google.com endpoint with a confirm=t parameter. This is a novel and practical bypass technique with direct defensive detection value.
The report includes GitHub search queries defenders can run right now, full indicator lists, and a preview of Part 2 covering the recovered Gist payload chains.
You can read the research here: Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains – Part 1 | Abstract Security
Like this:
Like Loading...
Related
This entry was posted on February 25, 2026 at 9:05 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
DPRK Research from Abstract’s ASTRO team: Contagious Interview: Evolution of VSCode and Cursor Tasks Infection Chains (Part 1)
Abstract’s threat research team (ASTRO) just published original research documenting fresh evolutions in the Contagious Interview campaign, a North Korea-linked operation (broadly attributed to Lazarus Group) which targets software developers, specifically those in DeFi and crypto industries.
This is a follow-up to ASTRO’s prior reporting on IDE task auto-execution abuse in January, and it captures attacker behavior changes observed in the last 1–2 weeks that have not yet appeared in public write-ups.
3 specific evolutions ASTRO is breaking:
The report includes GitHub search queries defenders can run right now, full indicator lists, and a preview of Part 2 covering the recovered Gist payload chains.
You can read the research here: Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains – Part 1 | Abstract Security
Share this:
Like this:
Related
This entry was posted on February 25, 2026 at 9:05 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.