Answer Brief
Taiwan’s TWCERT/CC reports a technical evolution in the “Contagious Interview” campaign: instead of relying on victims to manually execute a file, attackers embed a malicious VS Code workspace configuration so code runs automatically when developers open a project folder in Trusted Mode. The technique abuses VS Code’s tasks.json automation (including a run-on-folder-open behavior) and social engineering around Workspace Trust prompts. The activity primarily targets cryptocurrency software engineers and freelancers via recruiting outreach on LinkedIn and gig platforms, then directs them to download test projects from GitHub/GitLab. TWCERT/CC says the resulting payload has been identified as a newer BeaverTail variant (Type 701), with noted functional overlap with OtterCookie (sometimes referred to as “OtterCandy”), and is focused on stealing crypto-related browser extension and wallet data as well as high-value browser-stored secrets.
Executive Summary: Taiwan’s TWCERT/CC reports a technical evolution in the “Contagious Interview” campaign: instead of relying on victims to manually execute a file, attackers embed a malicious VS Code workspace configuration so code runs automatically when developers open a project folder in Trusted Mode. The technique abuses VS Code’s tasks.json automation (including a run-on-folder-open behavior) and social engineering around Workspace Trust prompts. The activity primarily targets cryptocurrency software engineers and freelancers via recruiting outreach on LinkedIn and gig platforms, then directs them to download test projects from GitHub/GitLab. TWCERT/CC says the resulting payload has been identified as a newer BeaverTail variant (Type 701), with noted functional overlap with OtterCookie (sometimes referred to as “OtterCandy”), and is focused on stealing crypto-related browser extension and wallet data as well as high-value browser-stored secrets.
Why It Matters
TWCERT/CC’s write-up highlights a shift that matters to security and engineering leaders globally: the initial execution step is being relocated from “developer runs an untrusted binary” to “developer opens a repository in a trusted IDE context.” By embedding malicious automation into a repository’s .vscode/tasks.json, attackers can turn a routine action—opening a folder—into code execution once Workspace Trust is granted. This reduces observable user intent (no explicit run/compile step) and increases the likelihood of success in fast-moving hiring and contracting workflows.
The reported flow is a blend of social engineering and development-environment abuse. Attackers allegedly pose as recruiters/employers on LinkedIn, Upwork, or Fiverr, then ask targets to download a project from GitHub or GitLab for testing. The key technical mechanism is a task configured to execute automatically on folder open (described as using a runOn: folderOpen property), paired with the psychological pressure of the VS Code Workspace Trust prompt—if the user clicks “Yes,” automated tasks can run.
The campaign’s focus on cryptocurrency engineers and freelancers is strategically significant: developer machines often hold privileged access to source code, build systems, signing keys, cloud credentials, and production-adjacent tokens. TWCERT/CC notes the payload is associated with a newer BeaverTail JavaScript malware variant (Type 701), with reporting suggesting convergence with OtterCookie capabilities (sometimes called “OtterCandy”). The alert describes information-stealing goals including data from 43+ crypto-related browser extensions (examples given include MetaMask and Phantom), plus credentials, session cookies, LocalStorage, and LevelDB (.ldb) artifacts.
For global defenders, the Taiwan signal is important because it documents a repeatable IDE-based initial-access pattern that can cross borders quickly: the technique leverages ubiquitous tooling (VS Code) and common collaboration channels (public code hosting and recruitment marketplaces). That combination can scale across regions and languages, and it shifts some supply-chain risk from package registries into editor/workspace configuration and developer trust prompts—areas many organizations still under-monitor.
TWCERT/CC summarizes practical defensive themes: avoid granting trust to unknown repositories, periodically inspect .vscode/tasks.json for suspicious auto-run behavior, separate privileges between development and daily-use accounts, and use controls such as email gateway scanning, VS Code extension allowlisting, and restricting/turning off unnecessary task auto-execution. (These are presented as expert recommendations in the TWCERT/CC alert.)
Event Type: security
Importance: high
Affected Companies
- Microsoft
- Palo Alto Networks
Affected Sectors
- Cloud and DevOps
- Cryptocurrency
- Cybersecurity
- Software Development
Key Numbers
- BeaverTail variant referenced: Type 701
- Crypto-related browser extensions targeted (at least): 43+
- Source publish date: 2026-01-28
- TWCERT/CC page views (at capture): 7479
Timeline
- TWCERT/CC publishes an alert describing an evolved Contagious Interview technique abusing VS Code Tasks for persistence and stealthy execution.