logo

Lazarus Group Using Git Hooks To Hide Malware

ID: 6e8996c7-2d66-587f-b63e-7d8751092622

STIX ID: report--6e8996c7-2d66-587f-b63e-7d8751092622

Feed Name: OpenSourceMalware Blog

Threat Score
85/100

Date Published: 2026-05-06

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

OpenSourceMalware discovered a Lazarus Group campaign (Contagious Interview / TaskJacker) that hides a stage‑2 loader in Git hooks (.githooks/pre-commit and post-checkout) to silently fetch platform-specific payloads from precommit.vercel.app, delivering InvisibleFerret/Beavertail implants for crypto wallet and credential theft; the report includes C2 URLs, a git blob SHA, and a GitHub hunt query to locate similar malicious repos.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.