North Korea’s Contagious Interview hackers have long employed a deceptive strategy, masquerading as recruiters to ensnare unsuspecting developers into executing malware. However, a recent revelation from Elastic Security Labs highlights a novel approach that raises significant concerns for developers who engage in online coding challenges. The attackers ingeniously embedded their malicious payload within the HTML comment blocks of SVG files representing national flags, fragmenting the code across numerous seemingly innocuous images. This technique allowed the malware to be automatically reassembled and executed upon each server startup, eluding detection by antivirus software.
At the time of Elastic’s findings, no antivirus engine had flagged any of the compromised repositories, revealing a critical vulnerability in existing security measures. Conventional antivirus tools are designed to detect pixel-level manipulations but lack the capability to analyze the semantic content within SVG comment blocks—a gap that the North Korean operators exploited. Internally tracked as REF9403, this campaign is the latest iteration of the ongoing Contagious Interview operation, which CrowdStrike recently reported accounted for a staggering 47% of all state-sponsored interactive intrusions against the tech sector in the year leading up to March 2026.
A Fake Job Offer That Targeted Elastic’s Own Developers
The breach came to light when a user named “Maxwell” posted a job offer in Elastic’s #jobs Slack channel on May 26, 2026. Claiming to be enhancing an e-commerce platform, Maxwell sought a developer proficient in Next.js, NestJS, PostgreSQL, and Auth.js. Respondents were directed to a trojanized GitHub repository disguised as a coding challenge. This repository was not merely a façade; it was a fully functional e-commerce project, cloned from a legitimate open-source template known as GoCart, making it indistinguishable from genuine job offers.
Elastic researchers subsequently identified a cluster of related trojanized repositories, including next-ecommerce-private-main.zip, shopping-platform-main.zip, and others, all employing the same underlying technique. Alarmingly, each repository had zero antivirus detections at the time of Elastic’s report, indicating that any developer community forum could be a potential target.
Why Antivirus Missed It: SVG Comment-Block Steganography
The absence of detection was not coincidental but rather a result of architectural limitations. Traditional antivirus tools focus on identifying statistical anomalies in pixel data, such as modifications to color values that suggest hidden information. In contrast, the REF9403 technique cleverly avoided pixel manipulation altogether. The malicious payload was divided into Base64-encoded fragments and embedded within HTML comment blocks of SVG files, distributed across the project’s assets/flags/ directory. When rendered, files like AE.svg and AF.svg appeared entirely normal, concealing the injected comment blocks that contained the encoded data.
A JavaScript file named serverValidation.js was responsible for reconstructing the payload by sequentially reading all SVG files, extracting the comment content, and concatenating the fragments into a complete Base64 string. This string was then decoded using a custom function designed to evade detection by standard JavaScript decoding methods. The malware executed automatically at server startup, compromising any developer who merely attempted to evaluate the project. To date, this specific infection chain had not been documented in the history of the Contagious Interview operation.
What the Malware Does in Four Stages
Upon execution, the malware deployed four modules simultaneously, masquerading as npm-cache processes to blend seamlessly into developer task managers.
- Stage 1 — Browser Credential and Cryptocurrency Wallet Stealer: This module targeted saved credentials and local extension storage across various browsers, prioritizing a hard-coded list of 25 specific wallet extensions.
- Stage 2 — File Stealer: The second module scanned the victim’s filesystem for sensitive files, including AWS and Azure credentials, and exfiltrated them unencrypted.
- Stage 3 — Socket.IO Remote Access Trojan: Establishing a persistent command-and-control channel, this module allowed operators to issue arbitrary shell commands and receive real-time output.
- Stage 4 — Clipboard Monitor and Windows Dropper: This final stage monitored the clipboard for sensitive data and downloaded additional binaries, further compromising the system.
Why This Is Attributed to North Korea’s Contagious Interview
Elastic’s attribution to North Korea rests on several independent technical indicators. The main JavaScript payload shares similarities with OTTERCOOKIE, a malware family previously documented by NTT Security Holdings. The observed API endpoints align with infrastructure linked to the same cluster by JFrog Security researchers. Contagious Interview, first documented by Palo Alto Networks Unit 42 in late 2023, is understood to be a financially motivated subset of North Korea’s Lazarus Group, with the objective of generating hard currency through cryptocurrency theft.
Contagious Interview’s Escalating Supply Chain Threat
The REF9403 campaign exemplifies a sophisticated blend of social engineering and automated technical delivery. A related sub-campaign, PolinRider, has compromised numerous legitimate package maintainer accounts, distributing infected versions across multiple ecosystems. This evolution indicates that Contagious Interview has become genuinely multi-modal, capable of reaching developers through both direct engagement and routine dependency updates from compromised sources.
What Developers and Security Teams Should Do Now
In light of these developments, Elastic has published detection rules and a comprehensive list of SHA-256 hashes for the confirmed trojanized repositories. Developers are advised to:
- Refrain from running repositories received via unsolicited messages without conducting a thorough audit.
- Audit any projects that may have been run from such sources, particularly looking for the identified repository names and suspicious files.
- Block or monitor the
rightwidth[.]devdomain cluster at network perimeters. - Review and rotate all credentials if any suspicious projects have been executed.
For security teams, it is recommended to enforce linting rules that restrict the use of eval() in server-side JavaScript and to scrutinize static asset directories with the same diligence as source files.
Frequently Asked Questions
Why didn’t antivirus software catch the malware in these repositories?
The malware was concealed within HTML comment blocks in SVG files, which antivirus tools are not equipped to analyze. This architectural choice allowed the fragments to evade detection.
How can I tell if I ran one of the malicious repositories from this campaign?
Check for the confirmed repository filenames and the presence of serverValidation.js. If found, treat the machine as compromised and rotate all credentials.
What is the Contagious Interview campaign, and who is behind it?
Contagious Interview is a North Korean state-sponsored cyber operation targeting software developers for cryptocurrency theft, attributed to the Lazarus Group.
Does running npm v12 protect against this type of attack?
No, npm v12 does not prevent REF9403 specifically, as the payload executes at server startup rather than during installation. Manual code review and network-level blocking are essential defenses.