VDB
GCVE-110-OSM-2026-668
GCVE-110-OSM-2026-668
Advisory PublishedCVSS 8.8/10
This GitHub repository is part of the latest version of the North Korean "Contagious Interview" threat campaign.
The "Contagious Interview" campaign leverages a sophisticated infection chain that begins when developers clone malicious GitHub repositories containing trojanized .vscode/tasks.json files that automatically execute upon opening the project in Visual Studio Code. These malicious task configurations abuse VSCode's trusted workspace automation features to silently execute obfuscated shell commands that fingerprint the victim's system, establish persistence through cron jobs or startup scripts, and download multi-stage payloads from attacker-controlled domains hosted on Vercel infrastructure. The initial execution triggers a cascade of malicious activity including the deployment of the BeaverTail infostealer (identified by unique flags like flag=301, flag=701) which exfiltrates browser credentials, cryptocurrency wallet data, and system information, followed by the Invisible Ferret Python-based backdoor that provides persistent remote access, keylogging capabilities, and the ability to execute arbitrary commands on the compromised developer workstation. The attack chain demonstrates advanced tradecraft through the use of legitimate developer tools and infrastructure (GitHub, VSCode, Vercel, NPM packages like react-svg-plugin) to evade detection, with command-and-control communications facilitated through dynamically generated domains and IP address validation checks (ip-api-check-nine[.]vercel[.]app, isvalid-region[.]vercel[.]app) that help attackers target specific geographic regions and avoid security researcher analysis.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | color-list | all (affected) | — |
| unknown | all (affected) | — |
Aliases
References
Malicious pypi package: color-list
advisory
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.