North Korea Hackers Abuse Git Hooks to Deploy Cross-Platform Malware

The latest iteration of the Contagious Interview campaign illustrates a broader shift in cyber‑espionage tactics: moving from high‑profile supply‑chain compromises to low‑profile, developer‑centric attacks. By hijacking Git’s pre‑commit hook—a feature deeply embedded in modern CI/CD pipelines—adversaries gain a reliable execution point that often escapes automated scanning tools. This approach mirrors earlier trends where threat actors weaponized npm post‑install scripts or VS Code extensions, but it is more discreet because the hook runs locally, requires no elevated privileges, and blends with legitimate development practices.

Technically, the malicious hook begins by detecting the operating system with a simple "uname -s" call, then pulls a tailored payload from a Vercel‑hosted URL that mimics the popular pre‑commit framework. The script uses standard utilities like curl or wget, redirects all output to /dev/null, and exits with code zero, ensuring the commit proceeds without warning. Because the payload is fetched at runtime, attackers can rotate or update malicious code without altering the compromised repository, complicating forensic analysis and signature‑based detection. The cross‑platform design—delivering Bash scripts for macOS/Linux and batch commands for Windows environments such as Git Bash—maximizes reach across heterogeneous developer workstations.

For organizations, the emergence of Git‑hook abuse mandates a reassessment of onboarding and code‑review policies. Security teams should enforce strict verification of any repository received as part of a hiring process, mandate the use of isolated virtual machines for initial builds, and integrate hook‑scanning into existing static analysis pipelines. Developers are encouraged to audit .githooks, .husky, and .vscode directories before execution and to disable automatic hook execution in untrusted environments. As threat actors continue to weaponize trusted developer tools, a proactive, layered defense—combining education, tooling, and policy—will be essential to protect both individual contributors and the broader software supply chain.