Contagious Interview thus infiltrates the software supply chain with false offers and manipulated repositories

A new intelligence report has again put on the table a persistent and sophisticated threat that combines social engineering, abuse of development tools and holdings in the software supply chain. According to data shared by Recorded Future, an operation tracked under the appeal PurpleBravo would have pointed to thousands of IP addresses and dozens of companies on multiple continents, using false job offers and committed development projects like lures to deploy malware.

The findings describe that 3.136 individual IP addresses were linked to potential objectives of this activity between August 2024 and September 2025, and that the campaign claimed to have targeted a dozen organizations in sectors ranging from artificial intelligence and cryptomonedas to financial services, marketing and software development. The identified victims are distributed by countries such as Belgium, India, Italy, Pakistan, Romania, United Arab Emirates and Vietnam, which highlights the transnational scope of the actor.

The relevance of this operation is not only the amount of machines potentially affected, but the tactic used: false profiles in professional networks and malicious repositories that pass through legitimate projects of Visual Studio Code or GitHub. Investigations of security signatures, including publications of Jamf Threat Labs, have shown how attackers insert backdoors and loaders into packages that developers could clone and run by trusting that they come from reliable sources. In this way, the development standard workflows are used to introduce malware without the need for traditional vulnerabilities.

The campaign-related malware families include information thieves and back doors written in different languages, including a JavaScript infostealer known as BeaverTail and a back door developed in Go - nicknamed GolangGhost or similar variants - that reuses open source tool components to steal credentials and exfilter data. The associated command and control servers (C2) were housed in multiple suppliers and managed through the VPN Astrill, an infrastructure pattern that has already been observed in malicious activities attributed to North Korean actors.

In addition to the distribution of malware through repositories, the operation has combined false recruitment with code tests: candidates contacted by the attackers performed technical exercises on corporate devices, which in many cases involved the execution of malicious code on the contracting company's teams. The side effect is evident: the risk is no longer limited to the individual receiving the offer, but extends to customers and partners of the affected organization, creating a vector of commitments in the software supply chain.

This way of operating complements another line of activity known for years: the insertion of North Korean computer workers under false identities to access organizations abroad, for both espionage and profit purposes. Although the two fronts - fraudulent jobs and committed software supply campaigns - are dealt with separately, research points to important overlap in tactics, infrastructure and operators, which complicates attribution and multiplies the potential impact when converging.

For companies that subcontract development or maintain distributed equipment, the lesson is clear and urgent. It is not enough to rely on the apparent provenance of a repository or the veracity of a superficially verified job offer.. Review integration pipelines, impose restrictions on code execution on corporate devices and separate technical assessment environments from those with access to productive environments are measures that should be incorporated into security policies as soon as possible. Official agencies such as CISA and frameworks such as MITRE ATT & CK provide resources and references to understand tactics and mitigate risks related to persistent threat campaigns.

It is also worth recalling that attackers exploit confidence: a popular Visual Studio Code project, an example package or a technical challenge may seem harmless, but a single reckless execution can open a door to the corporate network. Good practices include strict validation of dependencies, blocking of non-signed scripts in corporate machines, use of isolated testing environments and continuing education for recruitment teams and human resources, as they are the most interacting with external candidates.

At an operational level, the diversification of controls - endpoints detection, traffic monitoring to suspicious infrastructure, block lists and network segmentation - reduces the likelihood that a single error will lead to a larger gap. And at the strategic level, organizations should consider the risk posed by a large customer-based supplier in regions where these campaigns run their lures, because a supply chain infringement can multiply the consequences.

The incidents that combine social engineering, abuse of development platforms and creative uses of infrastructure such as commercial VPN are complex and require equally multidisciplinary responses. Reports such as Recorded Future and publications of threat laboratories such as Jamf They help to understand the landscape and to prioritize defenses, but the implementation falls to each organization: there is no single cure, but the need for combined layers of prevention, detection and response.

In short, the campaign known as Contagious Interview and related operations show how actors with diverse motivations can take advantage of both new techniques and predictable human practices. The security of software and procurement processes should be treated as an integrated whole, and both technical equipment and business areas must be coordinated to reduce the opportunity window of these attackers. In order to keep up to date, it is still recommended to consult specialized sources and update policies on the basis of new public reports.