VDB

GCVE-110-OSM-2026-663

GCVE-110-OSM-2026-663
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 10, 2026
This GitHub repository is part of the latest version of the North Korean "Contagious Interview" threat campaign. The "Contagious Interview" campaign leverages a sophisticated infection chain that begins when developers clone malicious GitHub repositories containing trojanized .vscode/tasks.json files that automatically execute upon opening the project in Visual Studio Code. These malicious task configurations abuse VSCode's trusted workspace automation features to silently execute obfuscated shell commands that fingerprint the victim's system, establish persistence through cron jobs or startup scripts, and download multi-stage payloads from attacker-controlled domains hosted on Vercel infrastructure. The initial execution triggers a cascade of malicious activity including the deployment of the BeaverTail infostealer (identified by unique flags like flag=301, flag=701) which exfiltrates browser credentials, cryptocurrency wallet data, and system information, followed by the Invisible Ferret Python-based backdoor that provides persistent remote access, keylogging capabilities, and the ability to execute arbitrary commands on the compromised developer workstation. The attack chain demonstrates advanced tradecraft through the use of legitimate developer tools and infrastructure (GitHub, VSCode, Vercel, NPM packages like react-svg-plugin) to evade detection, with command-and-control communications facilitated through dynamically generated domains and IP address validation checks (ip-api-check-nine[.]vercel[.]app, isvalid-region[.]vercel[.]app) that help attackers target specific geographic regions and avoid security researcher analysis.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownanistreamall (affected)
unknownall (affected)

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›