North Korea's Contagious Interview Crew Targets Developers With Code-Review Phishing Bait
The DPRK-linked threat cluster known as Contagious Interview has added a deceptively simple new lure to its arsenal: a polite request to review some code.

The North Korea-linked threat cluster Contagious Interview — tracked by researchers under the aliases Famous Chollima, HexagonalRodent, and Void Dokkaebi — launched two fresh phishing campaigns in mid-2025 that security researchers have attributed to the same long-running operation, this time deploying code-review requests alongside its established fake-recruiter playbook.
Same Crew, Sharpened Lures
Contagious Interview has been running developer-targeted intrusion campaigns for more than two years. The group's standard playbook is well-documented: impersonate a recruiter, walk a developer through a fake hiring pipeline, then deliver a payload at the moment the target least suspects it — when cloning a repository, launching a take-home assignment, or installing a required video-conferencing client.
Payloads have rotated through three malware families. BeaverTail acts as an initial-stage infostealer and dropper. InvisibleFerret provides persistent backdoor access. OtterCookie rounds out the toolkit with credential-harvesting capability. Delivery mechanisms have included npm packages and GitHub repositories engineered to look like legitimate open-source projects.
What is new in these two campaigns is the code-review pretext. Recruiter impersonation has been widely discussed in developer communities; engineers warn each other on forums and in private Slack groups, and many have learned to verify recruiter identities before engaging. A request to review a pull request or audit a code snippet is different. It arrives as a professional courtesy, not a solicitation. It flatters the recipient. And it bypasses the mental filter most developers apply to unsolicited job outreach.
That is the operational insight driving the pivot.
Why Developers Are High-Value Targets
Access to a software engineer's workstation is not ordinary access. It typically means proximity to source code, signing keys, SSH credentials, cloud provider CLI sessions, and — in the cases that have drawn the most attention — cryptocurrency wallets and private keys.
The FBI and the U.S. Treasury's Office of Foreign Assets Control (OFAC) have both issued public guidance tying DPRK IT-worker schemes and developer-targeting operations to sanctions evasion and the funding of North Korea's weapons programs. The 2024 Verizon Data Breach Investigations Report found that credentials and personal data remain the top two types of data stolen in breaches involving the financial-services and technology sectors — the exact assets Contagious Interview systematically pursues.
This is not opportunistic crime. It is a state-directed revenue stream.
The Mechanics of the Code-Review Trap
The mechanics are straightforward, which is part of why they work. A developer receives a message — on LinkedIn, GitHub, a professional forum, or even direct email — asking them to look over a project, audit a snippet, or provide feedback on a repository. The request sounds reasonable. Engineers receive similar requests from colleagues regularly.
The target clones the repository or downloads the package. The malicious payload executes. By the time any exfiltration is detected, BeaverTail may have already harvested stored credentials and staged InvisibleFerret for persistent access.
Proofpoint's threat-intelligence team published the primary attribution analysis linking both campaigns to the Contagious Interview cluster.
Which Controls Failed — and Why It Keeps Working
The root-cause failure here is not a missing patch or a misconfigured firewall. It is the absence of trained skepticism in a professional context where trust is the default. Developers are conditioned to collaborate, share code, and respond to peer review requests. Contagious Interview is exploiting that professional reflex deliberately.
No technical control stops a developer from voluntarily cloning a repository if they believe it is legitimate. Endpoint detection can catch known BeaverTail signatures, but zero-day or lightly obfuscated variants may not trigger immediate alerts. The gap is human. Security awareness training that specifically addresses social engineering in developer workflows — covering scenarios like fake code reviews, malicious npm packages, and recruiter impersonation — is the most direct control organizations can apply before a payload ever touches an endpoint. Teams that run security awareness training with realistic, profession-specific phishing simulations are far better positioned to recognize these lures before the damage is done.
The second failure is the absence of isolation hygiene. Developers routinely run untrusted code on their primary workstations, often with full access to credential stores, SSH agents, and cloud CLI sessions in the background. That is a configuration risk independent of whether any phishing attempt succeeds. A disposable virtual machine or container with no access to production credentials should be the default environment for evaluating any external code, including take-home assignments, open-source dependencies from unfamiliar publishers, and unsolicited review requests.
What Defenders Should Do Now
Security teams and individual developers should treat the following as immediate operational guidance:
- Verify before you clone. Any unsolicited request to review code, run a repository, or evaluate a project warrants out-of-band verification. Confirm the requester's identity through a second channel — a known phone number, a company directory, or a video call — before touching the files.
- Isolate untrusted execution. Run all external repositories, take-home assignments, and unfamiliar npm or PyPI packages inside a dedicated VM or container with no credential stores, no SSH keys, and no cloud CLI sessions mounted.
- Audit recent package installs. Check developer endpoints for npm, PyPI, and GitHub activity involving accounts or packages created in the last 90 days. New accounts publishing packages that a senior engineer suddenly needs to install are a strong warning signal.
- Rotate credentials on any compromised machine. If a developer touched a suspicious repository, immediately rotate all tokens, SSH keys, and cloud credentials accessible from that machine. Review outbound network traffic for indicators associated with BeaverTail and InvisibleFerret command-and-control infrastructure.
- Check your regulatory obligations. U.S. organizations should report confirmed intrusions to the FBI's IC3. EU employers face GDPR Article 33 notification requirements if developer credentials or personal data were exfiltrated. Australian organizations fall under the OAIC's Notifiable Data Breaches scheme.
Organizations wanting to benchmark their current posture against established frameworks can review applicable controls at Train2Secure's standards library.
The Trend Line
Recruiter-themed phishing has worked for years. It will keep working on some portion of the developer population. But security awareness in developer communities has grown, and Contagious Interview's move toward code-review pretexts reflects that awareness. The group adapts. The lures will keep evolving to match wherever professional trust is highest.
Engineers should expect more of this, in more convincing forms, from more plausible-looking accounts. The only durable defense is the habit of verifying before executing — regardless of how reasonable the request sounds.
How This Attack Could Have Been Stopped Earlier
- Train developers to apply the same verification discipline to code-review requests as they would to any unsolicited external contact — verify the requester out-of-band before cloning anything.
- Establish a policy requiring all external or untrusted code to be executed inside an isolated VM or container with no access to production credentials or cloud sessions.
- Run profession-specific phishing simulations that reflect real developer workflows, including fake npm packages, GitHub repository lures, and code-review pretexts.
Train2Secure's security awareness training includes developer-focused phishing scenarios built around exactly these social engineering tactics.
Start free — no card requiredSources & further reading
Frequently asked questions
What is Contagious Interview and who is behind it?
Contagious Interview is a North Korea state-linked threat cluster tracked under multiple names including Famous Chollima, HexagonalRodent, and Void Dokkaebi. It targets software developers to steal credentials, source code, signing keys, and cryptocurrency assets, with proceeds believed to fund DPRK weapons programs.
How does the code-review phishing lure work?
Attackers send developers an apparently professional request to review a code repository or pull request. When the target clones the repository or installs an associated package, malware — typically BeaverTail, InvisibleFerret, or OtterCookie — executes on their machine and begins harvesting credentials.
How is a code-review lure different from a recruiter phishing email?
Recruiter impersonation has been widely publicized in developer communities, so many engineers now verify recruiter identities before engaging. A code-review request exploits professional norms around collaboration and peer feedback, bypassing that skepticism because it arrives as a technical courtesy rather than a solicitation.
What should a developer do if they accidentally ran code from a suspicious repository?
Immediately isolate the machine from the network, rotate all credentials, SSH keys, and cloud tokens accessible from that workstation, and review outbound traffic for known Contagious Interview command-and-control indicators. Report the incident to your security team and, if in the U.S., consider filing a report with the FBI's IC3.



