DEV#POPPER RAT

Contagious Interview ... approaches prospective targets and tricks them into executing malicious code from a fake repository as part of an assessment. Some of these efforts have used weaponized Node.js projects hosted on GitHub.

Contagious Interview ... tricks them into executing malicious code from a fake repository as part of an assessment.

A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist... The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.

MITRE ATT&CK # T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain

It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.

MITRE ATT&CK # T1059.007 — Command and Scripting Interpreter: JavaScript

The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.

The tasks.json catches developers using VS Code (triggering on folder open), while the injected JavaScript executes for anyone who builds or runs the project regardless of their IDE.

Contagious Interview ... tricks them into executing malicious code from a fake repository as part of an assessment.

MITRE ATT&CK # T1204.002 — User Execution: Malicious File

For persistence, it injects versioned code (markers: C250617A through C250620A) into developer applications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop) and creates a hidden .node_modules folder for Node.js module search order hijacking.

For persistence, it injects versioned code (markers: C250617A through C250620A) into developer applications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop)

The appended JavaScript is obfuscated and reconstructs its real behavior at runtime... A large whitespace gap hides the malicious payload after the legitimate Tailwind configuration, making it easy to miss in code review.

The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.

The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().

The RAT specifically detects and avoids CI/CD environments (e.g., GitLab CI, BuildBot) and cloud sandboxes, executing only on real developer workstations.

For persistence, it injects versioned code (markers: C250617A through C250620A) into developer applications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop) and creates a hidden .node_modules folder for Node.js module search order hijacking.

The RAT specifically detects and avoids CI/CD environments (e.g., GitLab CI, BuildBot) and cloud sandboxes, executing only on real developer workstations.

The backdoor communicates with its command-and-control (C&C) server via WebSocket (using socket.io-client). It uses HTTP for file uploads, directory exfiltration, and logging

MITRE ATT&CK # T1102.001 — Web Service: Dead Drop Resolver

MITRE ATT&CK # T1105 — Ingress Tool Transfer

It uses HTTP for file uploads, directory exfiltration, and logging, specifically through the ‘/verify-human/[VERSION]’ endpoint for heartbeat and notification, and ‘/u/f’ for data exfiltration.