North Korea is turning open-source projects into malware traps

Published: 27 January 2026
Last updated: 28 January 2026
north korea folder
Image by Cybernews.

North Korea is doubling down on a familiar playbook by weaponizing trust in open-source software and developer workflows. The latest campaign builds on techniques seen in previous DPRK-linked fake-recruiter and supply-chain attacks, but shifts focus to VS Code automation and disguised font files.

Key takeaways:
  • North Korea's "Fake Font" campaign uses malicious configuration files in VS Code to automatically execute hidden malware when developers open infected GitHub repositories.
  • Attackers pose as cryptocurrency recruiters on LinkedIn, sending targets to seemingly legitimate GitHub repositories that contain hidden malware.
  • The final payload steals credentials from multiple crypto wallets and can log keystrokes and hijack cryptocurrency addresses across Windows, macOS, and Linux.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Detailed by OpenSourceMalware, the operation is a new variant of the long-running “Contagious Interview” campaign, which hides malware deep inside seemingly legitimate GitHub repositories and abuses Microsoft Visual Studio Code to execute it when developers open infected projects.

Dubbed the “Fake Font” campaign, this iteration uses malicious .vscode/tasks.json configurations to trigger JavaScript payloads disguised as web font files (.woff2) whenever a target opens a repository in VS Code. The techniques allow the malware to run silently and deliver a multi-stage infection chain culminating in a persistent backdoor known as InvisibleFerret.

ADVERTISEMENT

From fake recruiters to weaponized repositories

The campaign begins with social engineering: attackers pose as recruiters from cryptocurrency or fintech firms on platforms like LinkedIn and lure engineers with enticing job assessments.

Github-DPRK
Image by Cybernews.

Targets are sent links to GitHub repositories that appear to be legitimate web applications, complete with a React frontend, Node.js backend, and proper README files. Behind the scenes, however, hidden task automation scripts execute obfuscated malicious JavaScript the moment the project is opened.

Once launched, the malware uses a multi-stage loader to establish persistence across Windows, macOS, and Linux.

The final payload, InvisibleFerret, is a Python-based backdoor that can steal credentials from more than a dozen crypto wallet extensions, including MetaMask, Phantom, and Coinbase Wallet, as well as harvest browser credentials, log keystrokes, and hijack cryptocurrency addresses in the clipboard.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Security researchers warn that this new Fake Font campaign intensifies a broader assault on the developer community that has been going on for years. Unlike traditional intrusion methods that rely on software vulnerabilities, this campaign weaponizes developer trust in open-source repositories and legitimate tools like Visual Studio Code.

ADVERTISEMENT

An escalation of earlier DPRK campaigns

This is not the first time that North Korean threat actors have targeted developers and software ecosystems. Earlier in 2025, we reported how the Lazarus Group was embedding infostealer and backdoor malware into malicious npm packages, targeting developer environments for credential theft and persistent access.

Similarly, North Korean hackers have previously used fake recruiter lures and malicious GitHub repositories as part of social-engineering campaigns that spread malware to job seekers and developers alike. In September 2024, we documented efforts in which bogus coding assessments hosted on GitHub delivered obfuscated Python malware when developers ran the provided code.

Python Lazarus
Image by Shutterstock.

Threat actors have also posed as recruiters in the past, often with the explicit goal of stealing crypto assets.

Cybersecurity experts say the Fake Font campaign demonstrates a worrying evolution of these tactics. By leveraging features built into development tools, such as VS Code’s task automation, attackers can bypass many traditional detection controls and make malicious actions appear routine to unsuspecting developers.

Have thoughts about this topic? Others do, too. Join them in the discussion.

They urge developers to exercise extreme caution when cloning third-party repositories and to scrutinize incoming job interview requests that include technical assessments hosted online. Analysts recommend reviewing configuration files closely and avoiding trusting unknown codebases without manual inspection.

As open-source workflows continue to be an integral part of global software development, campaigns like Fake Font show how easily trusted environments can become entry points for sophisticated supply-chain abuse.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked