John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Imagine a developer getting a recruiter hit on LinkedIn. There’s a technical coding test, a repo to clone, and and a quick install. Standard stuff, right? Except a few weeks later, your production server is calling home to a C2 in Pyongyang because that “coding test” harvested the developer’s real credentials and used them to push a backdoor into your official repository.
This is the evolution of the “Contagious Interview” campaign. They’ve move past just stealing a laptop; they’re weaponizing the dev machine to infect the whole pipeline. Because the commits come from a trusted colleague with a real history, your automated scanners just wave the malware through the front door.
And it’s not just humans being targeted. “EtherRAT” is currently hitting admins by spoofing everyday tools like PuTTY and WinSCP on GitHub. They use SEO poisoning to make sure their malicious “Official Downloads” appear at the top of your search results. You think you’re grabbing a utility, but you’re actually handing over the keys to your entire cloud infrastructure.
The scary part? They aren’t breaking into your network. They’re using the tools and trust you already have. If you aren’t auditing who is “allowed” to push code regardless of their account history, you’re wide open.
Get the full technical breakdown of the DPRK’s repository-worming tactics.