Stealthy Pivot: North Korean Actors Leverage Git Hooks for ‘Contagious Interview’ Malware Delivery
In a sophisticated evolution of the ongoing “Contagious Interview” campaign, North Korean threat actors have pivoted away from traditional delivery vectors to exploit the intrinsic trust within the software development lifecycle (SDLC). By abusing Git hooks, attackers are successfully bypassing modern security controls and executing malicious code directly within a developer’s local environment.
The attack vector utilizes highly targeted social engineering. Developers—particularly those in the high-value cryptocurrency and DeFi sectors—are lured through fraudulent job interviews. The “hook” is a request to clone a specific GitHub repository containing a technical coding assessment. However, the repository serves as a Trojan horse, hiding a malicious .git/hooks/pre-commit script designed to trigger automatically.
Unlike previous iterations of this campaign that relied on bulky, easily detectable payloads, this new methodology utilizes a lightweight, surgical approach. The script performs initial environment fingerprinting using the uname -s command to determine the target operating system. Once the OS is identified, the script acts as a minimal downloader, reaching out to a remote command-and-control (C2) infrastructure hosted at precommit[.]vercel.app.
Depending on the target architecture, the script utilizes standard binaries like curl or wget to pull platform-specific payloads—ranging from Bash scripts for macOS/Linux to batch-compatible commands for Windows environments (specifically targeting Git Bash, MSYS, or Cygwin).
According to security researchers from the OpenSourceMalware team, this represents a significant tactical shift. Attackers are moving away from VS Code task files, npm post-install scripts, or disguised font files in favor of this more integrated, less scrutinized mechanism.
The technical implementation is masterfully designed for stealth. The script redirects all standard output to /dev/null, ensuring the developer sees no terminal noise. Furthermore, the script is engineered to return a successful exit code, allowing the git commit process to complete without error. This prevents the “broken workflow” red flag that often alerts a developer to unauthorized activity.
The choice of precommit[.]vercel.app as a C2 endpoint is a calculated move in deception. By leveraging Vercel—a legitimate cloud platform—the attackers gain several advantages: they inherit the reputation of a trusted domain, and they can use disposable deployments to rotate payloads dynamically, making traditional domain-based blocking significantly more difficult.
The Exploitation of Developer Trust
Git hooks are an ideal execution point because they are an industry-standard part of modern workflows. Tools like Husky and lint-staged frequently manage hooks, meaning the presence of a .githooks or .husky directory is often perceived as a standard project requirement rather than a security risk.
Many developers use the command git config core.hooksPath .githooks to manage project-specific hooks without performing a deep inspection of the script contents. This “set and forget” mentality provides the perfect opening for the adversary. Furthermore, by moving into the Git hook space, attackers effectively bypass the hardening efforts being implemented by IDEs like Visual Studio Code, which have become increasingly restrictive regarding auto-executing tasks.
The intelligence gathered from these repositories shows a highly organized pattern:
- Targeted Themes: Repositories are themed around cryptocurrency, DeFi, or blockchain development.
- Low Profile: Repositories feature minimal commit histories to avoid appearing “too new” or suspicious.
- Dynamic Triggers: Beyond
pre-commit, researchers have observedpost-checkouthooks, which trigger every time a developer switches branches, increasing the frequency of potential infection.
Defensive Strategies & Mitigation
To defend against this evolving threat, security professionals and developers should adopt a “Zero Trust” approach to external repositories:
- Inspect Before Execution: Always audit hidden directories such as
.githooks,.husky, and.vscodebefore runninggit cloneornpm install. - Environment Isolation: Never clone unverified third-party code on a primary workstation. Use isolated Virtual Machines (VMs) or containerized environments (like Docker) that do not have access to sensitive SSH keys, environment variables, or cryptocurrency wallets.
- Monitor Command Execution: Use EDR (Endpoint Detection and Response) tools to monitor for unusual child processes spawned by
git, especially those involvingcurl,wget, or unexpected shell executions.
Indicators of Compromise (IOCs)
| Type | Indicator / Value |
|---|---|
| C2 URL (macOS) | hxxps://precommit[.]vercel.app/settings/mac?flag=5 |
| C2 URL (Linux) | hxxps://precommit[.]vercel.app/settings/linux?flag=5 |
| C2 URL (Windows) | hxxps://precommit[.]vercel.app/settings/windows?flag=5 |
| C2 Domain | precommit[.]vercel.app |
| Malicious File Path | .githooks/pre-commit |
| File Hash (SHA-256) | 3ebd9bb57d155cc7c3353660f54c153a094cdfbd |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang these indicators only within controlled threat intelligence environments such as MISP, VirusTotal, or your organization’s SIEM.