Contagious Interview Malware Targets Developers

Introduction

Microsoft’s latest threat research highlights a growing risk for organizations that employ software developers: attackers are now abusing the hiring process itself as an initial access vector. The Contagious Interview campaign shows how technical interviews, coding challenges, and recruiter outreach can be weaponized to compromise developer endpoints that often have access to source code, CI/CD pipelines, cloud environments, and privileged secrets.

What’s new

Microsoft says the campaign has been active since at least December 2022 and is still being detected in customer environments. The operation primarily targets developers at enterprise solution providers and media and communications firms.

Key tactics observed include:

• Fake recruiter outreach impersonating cryptocurrency or AI firms
• Malicious code repositories hosted on GitHub, GitLab, or Bitbucket
• Trojanized NPM packages used as part of take-home assessments or coding tests
• Visual Studio Code task abuse, where trusting a repository author can trigger malicious task configuration files
• Paste-and-run commands presented as fixes for staged technical issues on fake interview sites

Microsoft also observed several payloads and backdoors associated with the campaign:

• Invisible Ferret: a Python-based backdoor used for remote command execution, reconnaissance, and persistence
• FlexibleFerret: a modular backdoor available in Go and Python variants, supporting encrypted C2, plugin loading, exfiltration, persistence, and lateral movement

Why this matters to IT admins

This campaign is notable because it targets users during a high-trust, high-pressure business process. Developers are more likely to execute code, install dependencies, or trust repositories when they believe they are participating in a legitimate interview.

For defenders, the risk is significant:

• Developer machines often store API keys, cloud credentials, signing certificates, and password manager data
• Compromised endpoints can lead to source code theft, pipeline compromise, or broader cloud access
• Attackers are relying on legitimate tooling and workflows, making detection harder than traditional malware delivery methods

Recommended next steps

Organizations should treat recruitment workflows as part of their attack surface.

Immediate actions

• Require coding tests and take-home assignments to be completed in isolated, non-persistent environments such as disposable VMs
• Prohibit running recruiter-provided code on primary corporate workstations
• Review any external repository before executing scripts, tasks, or dependency installs
• Train developers to identify red flags such as short links, new repo accounts, unusual setup steps, or requests to trust unknown authors

Security controls to review

• Ensure tamper protection, real-time AV, and endpoint updates are enabled
• Restrict scripting and runtimes such as Node.js, Python, and PowerShell where possible
• Consider application control to block execution from Downloads and temp folders
• Monitor for download-and-execute patterns, suspicious repository behavior, and outbound traffic to low-reputation hosts
• Reduce secret exposure through short-lived credentials, vault-based storage, and MFA

Contagious Interview is a reminder that modern attacks increasingly exploit business workflows, not just software vulnerabilities. For security teams, protecting developers now means securing the interview process too.