惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
Project Zero
Project Zero
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Google DeepMind News
Google DeepMind News
P
Privacy & Cybersecurity Law Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
Hacker News: Ask HN
Hacker News: Ask HN
S
Security @ Cisco Blogs
C
Cisco Blogs
Help Net Security
Help Net Security
I
Intezer
W
WeLiveSecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
腾讯CDC
S
Secure Thoughts
MyScale Blog
MyScale Blog
Recorded Future
Recorded Future
G
GRAHAM CLULEY
L
LINUX DO - 热门话题
A
About on SuperTechFans
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
J
Java Code Geeks
The Hacker News
The Hacker News
阮一峰的网络日志
阮一峰的网络日志
Scott Helme
Scott Helme
Recent Announcements
Recent Announcements
AI
AI
Cisco Talos Blog
Cisco Talos Blog
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
C
Check Point Blog
Security Latest
Security Latest
S
SegmentFault 最新的问题
T
The Exploit Database - CXSecurity.com
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
M
MIT News - Artificial intelligence
T
The Blog of Author Tim Ferriss
Attack and Defense Labs
Attack and Defense Labs
PCI Perspectives
PCI Perspectives
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research

Jamf Blog

Jamf Nation Live 2026 London and Berlin: AI Governance and DDM 5 Mac Security Gaps Hiding in Your Apple Fleet Classroom Management Tools and Student Learning Outcomes Mobile forensics, minutes not weeks Turn Security Signals into Action with Jamf and Amplifier Security Strengthen Jamf Zero Trust Network Access With Dedicated Internet Gateway Jamf AI Assistant Now Available: Smarter Apple Device Management and Security MacBook Neo: The New Enterprise Entry Point for Mac at Scale Boost Employee Productivity in the Enterprise with Jamf Platform Authentication and Declarative Device Management: The Future of Apple Management Automation for Small IT Teams: Save Time Managing Macs What a lower-cost MacBook Neo means for education Where Apple Meets the Enterprise: Jamf’s Interoperability Advantage for Secure, Automated Access Control Simplify access, secure your apps: why SSO matters for K-12 Inside Predator’s kernel engine RSA Conference 2026 recap: AI security, enterprise mobile security and the shift to connected security platforms ClickFix technique uses Script Editor instead of Terminal on macOS Why Mac configurations fall out of sync — and how to fix them G2 names Jamf in its 2026 Best Software Awards across three categories Empowering Mac users: How Jamf Self Service+ reduces tier one support overhead for enterprise IT teams Privacy by default, flexible when required: introducing limited privacy in Jamf Safe Internet From arrival to discharge: how iOS is reimagining the healthcare journey Federated Identity Management for K-12 Education Identity and access management in K-12 schools OpenClaw: the helpful AI that could quietly become your biggest insider threat Get Started with Scripting Series: macOS Terminal, Scripting and Jamf Pro API Managing Apple devices at Black Hat Europe with Jamf Scaling device deployments without scaling your IT team How Predator spyware defeats iOS recording indicators Making Mac work in a PC world The hidden costs of manual device provisioning Mac management and security for lean IT teams Automated certificate management and device security integration The hidden risks in your mobile apps “Mac in 2026: Secure by Design Meets the Enterprise” webinar Jamf named a Unified Endpoint Management leader…again! Jamf recognized as a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Management Tools Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware 2026: what to expect in tech Retail runs on iOS: Let’s take a tour through Jamf’s booth at NRF 2026 From ClickFix to code signed: the quiet shift of MacSync Stealer malware Jamf After Dark: How WorkBrew solves Homebrew security and compliance for Mac developers Managing emerging technologies: A playbook for modern IT leaders How schools can maximize learning using Apple devices and Jamf Practical intelligence: why it matters for enterprise teams Jamf Connect Q&A Jamf After Dark October recap: platform progress, identity shifts and security insights Powering managed virtualization and Windows app delivery in Mac-first enterprises FlexibleFerret malware continues to strike Managing Jamf configuration with Terraform and GitOps workflows Back to security basics: phishing Introducing the Jamf 140 Course HIMSS 2026 recap Introducing Beacon by Jamf Threat Labs GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer Android and Jamf: manage and secure your mobile fleet Social engineering in K-12 for beginners Jamf Nation Live 2026: Hands-On Apple Expertise Across Six Cities Developer Mode-as-a-Defense: How iOS Security Features Deter Nation-State Spyware Stop chasing passwords: how school IT can reduce reset tickets Bring Your Own Key (BYOK): Take Control of Your Encryption in Jamf Cloud DarkSword iOS Exploit Kit: 3 Lessons for Mobile Security Threat Labs Jamf Training Celebrates 20 Years of Apple IT Education and Certification Balancing Safety and Learning: K-12 Content Filtering for IT Admins Why Mac security updates take too long and how to fix it Why the Jamf platform is the natural foundation for MSPs Jamf After Dark: mobile forensics Introducing the redesigned Mac threat prevention. Now available in beta.  Beyond access: rethinking the complete Apple deployment strategy for education Gain faster updates and real-time fleet visibility with DDM What the Canvas breach tells us about the state of education security Why K-12 students need web filtering that travels with their devices Jamf spotlighted in Okta Businesses at Work 2026 Report Jamf Nation Live 2026 recap MobiDash internals: ghost clicks and SSH tunnels in commercial adware Tech Partner Spotlight: Jamf + SmallStep MacBook Neo in K-12 Closing the gaps: How Jamf protects macOS and iOS with real-time threat prevention MSP engineering: The art of scoping in Jamf Pro at scale Mac in education is evolving. Jamf School makes it simple Why Apple devices deserve security built for them Seamless Learning Access: Simplicity that puts learning first Reducing IT firefighting: Fewer failed updates, less manual cleanup Apple WWDC26: Keynote recap How Jamf helps maximize your Microsoft investments MTE as a microscope WWDC26: Key takeaways for education institutions WWDC26: Key takeaways for Apple admins The JNUC 2026 session catalog is live — and the clock is ticking Jamf After Dark: Why we moved 1,900+ Apple devices back to Jamf AI governance for Mac: bringing AI under management AI Adoption Is High, Governance Is Lagging Klue Third-Party Cybersecurity Incident How Identity Automation, Claris, and Jamf Simplify Apple Workflows for Education What Is AI Governance? How Proactive Device Status Reporting Transforms Mac Fleet Visibility AI Governance on Mac: A Practical Guide for IT and Security Teams Restaurants Run on iOS: Jamf and IPORT at the NRA Show AI Governance on Mac: A Practical Guide for IT and Security Teams PamStealer: macOS Malware Posing as Clipboard Manager App
Threat Actors Expand Abuse of Microsoft Visual Studio Code
Jamf Threat Labs · 2026-04-11 · via Jamf Blog

Jamf Threat Labs identifies additional abuse of Visual Studio Code. See the latest evolution in the Contagious Interview campaign.

A developer working on a laptop with a Jamf security prompt overlay asking, 'Do you trust the authors of the files in this folder?

By Thijs Xhaflaire

Introduction

At the end of last year, Jamf Threat Labs published research related to the Contagious Interview campaign, which has been attributed to a threat actor operating on behalf of North Korea (DPRK). Around the same time, researchers from OpenSourceMalware (OSM) released additional findings that highlighted an evolution in the techniques used during earlier stages of the campaign.

Specifically, these newer observations highlight an additional delivery technique alongside the previously documented ClickFix-based techniques. In these cases, the infection chain abuses Microsoft Visual Studio Code task configuration files, allowing malicious payloads to be executed on the victim system.

Following the discovery of this technique, both Jamf Threat Labs and OSM continued to closely monitor activity associated with the campaign. In December, Jamf Threat Labs identified additional abuse of Visual Studio Code tasks.json configuration files. This included the introduction of dictionary files containing heavily obfuscated JavaScript, which is executed when a victim opens a malicious repository in Visual Studio Code.

Jamf Threat Labs shared these findings with OSM, who subsequently published a more in-depth technical analysis of the obfuscated JavaScript and its execution flow.

Earlier this week, Jamf Threat Labs identified another evolution in the campaign, uncovering a previously undocumented infection method. This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system.

At a high level, the chain of events for the malware look like so:

Throughout this blog post we will shed light on each of these steps.

Initial Infection

In this campaign, infection begins when a victim clones and opens a malicious Git repository, often under the pretext of a recruitment process or technical assignment. The repositories identified in this activity are hosted on either GitHub or GitLab and are opened using Visual Studio Code.

When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.

On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output.

In observed cases, the JavaScript payload is hosted on vercel.app, a platform that has been increasingly used in recent DPRK-related activity following a move away from other hosting services, as previously documented by OpenSourceMalware.

Jamf Threat Labs reported the identified malicious repository to GitHub, after which the repository was removed. While monitoring the activity prior to takedown, we observed the URL referenced within the repository change on multiple occasions. Notably, one of these changes occurred after the previously referenced payload hosting infrastructure was taken down by Vercel.

The JavaScript Payload

Once execution begins, the JavaScript payload implements the core backdoor logic observed in this activity. While the payload appears lengthy, a significant portion of the code consists of unused functions, redundant logic, and extraneous text that is never invoked during execution (SHA256: 932a67816b10a34d05a2621836cdf7fbf0628bbfdf66ae605c5f23455de1e0bc). This additional code increases the size and complexity of the script without impacting its observed behavior. It is passed to the node executable as one large argument.

Focusing on the functional components, the payload establishes a persistent execution loop that collects basic host information and communicates with a remote command-and-control (C2) server. Hard-coded identifiers are used to track individual infections and manage tasks from the server.

Core backdoor functionality

While the JavaScript payload contains a significant amount of unused code, the backdoor's core functionality is implemented through a small number of routines. These routines provide remote code execution, system fingerprinting, and persistent C2 communication.

Remote code execution capability

The payload includes a function that enables the execution of arbitrary JavaScript while the backdoor is active. At its core, this is the main functionality of this backdoor.

This function allows JavaScript code supplied as a string to be dynamically executed over the course of the backdoor lifecycle. By passing the requirefunction into the execution context, attacker-supplied code can import additional Node.js modules allowing additional arbitrary node functions to be executed.

System fingerprinting and reconnaissance

To profile the infected system, the backdoor collects a small set of host-level identifiers:

This routine gathers the system hostname, MAC addresses from available network interfaces, and basic operating system details. These values provide a stable fingerprint that can be used to uniquely identify infected hosts and associate them with a specific campaign or operator session.

In addition to local host identifiers, the backdoor attempts to determine the victim’s public-facing IP address by querying the external service ipify.org, a technique that has also been observed in prior DPRK-linked campaigns.

Command-and-control beaconing and task execution

Persistent communication with the C2 server is implemented through a polling routine that periodically sends host information and processes server responses. The beaconing logic is handled by the following function:

This function periodically sends system fingerprinting data to a remote server and waits for a response. The beacon executes every five seconds, providing frequent interaction opportunities.

The server response indicates successful connectivity and allows the backdoor to maintain an active session while awaiting tasking.

If the server response contains a specific status value, the contents of the response message are passed directly to the remote code execution routine, mentioned prior.

Further Execution and Instructions

While monitoring a compromised system, Jamf Threat Labs observed further JavaScript instructions being executed roughly eight minutes after the initial infection. The retrieved JavaScript went on to set up a very similar payload to the same C2 infrustructure.

Review of this retrieved payload yields a few interesting details...

  1. It beacons to the C2 server every 5 seconds, providing its system details and asks for further JavaScript instructions.
  2. It executes that additional JavaScript within a child process.
  3. It's capable of shutting itself and child processes down and cleaning up if asked to do so by the attacker.
  4. It has inline comments and phrasing that appear to be consistent with AI-assisted code generation.

Conclusion

This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows. The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools.

Jamf Threat Labs will continue to track these developments as threat actors refine their tactics and explore new ways to deliver macOS malware. We strongly recommend that customers ensure Threat Prevention and Advanced Threat Controls are enabled and set to block mode in Jamf for Mac to remain protected against the techniques described in this research.

Developers should remain cautious when interacting with third-party repositories, especially those shared directly or originating from unfamiliar sources. Before marking a repository as trusted in Visual Studio Code, it’s important to review its contents. Similarly, "npm install" should only be run on projects that have been vetted, with particular attention paid to package.json files, install scripts, and task configuration files to help avoid unintentionally executing malicious code.

Indicators or Compromise

Dive into more Jamf Threat Labs research on our blog.