North Korean hackers linked to the Contagious Interview campaign have adopted a new tactic using malicious Microsoft Visual Studio Code (VS Code) projects to deploy backdoors on compromised systems. The attack begins with potential victims cloning a Git repository and opening it in VS Code, where a task configuration file executes malicious payloads hosted on Vercel domains. This method was first identified in December 2025, and the attackers have since refined their approach, disguising malware as harmless spell-check dictionaries to bypass detection. The malware, once activated, establishes a persistent connection to a remote server, allowing for remote code execution and system fingerprinting. In one instance, the malware communicated with the server every five seconds and could self-erase its activity traces. The campaign specifically targets software engineers in cryptocurrency and fintech sectors due to their access to sensitive information and resources. This continual evolution in tactics highlights the attackers' focus on enhancing the success rate of their operations, as they experiment with multiple delivery methods. Jamf Threat Labs reported that the malware's behavior has shifted rapidly, with indications that some components may have been generated using AI tools. They advise developers to be cautious when interacting with third-party repositories, especially those from unknown sources, and to scrutinize the source code before executing it in VS Code. The ongoing adaptation of these threat actors underscores a sophisticated understanding of legitimate developer workflows, making the need for vigilance in software development environments even more critical.