Cyber Warfare · Today's Signal

North Korean Hackers Are Hiding Malware Inside SVG Flag Icons in Fake Job Coding Tests

Published 2026-07-18 · SAL Cyber Command Intelligence Network
North Korean Hackers Are Hiding Malware Inside SVG Flag Icons in Fake Job Coding Tests

The Hacker News reports a North Korea-linked campaign delivering malware aligned with the OtterCookie family through fake coding assessments -- the kind of take-home technical test companies send job candidates -- with the payload concealed inside SVG image files depicting national flags. The steganographic trick lets the malicious code ride along in what looks like a harmless graphic asset embedded in a legitimate-seeming test repository.

This is DPRK's "Contagious Interview" playbook, just with a new delivery wrapper. For over two years, North Korean operators have used fake recruiters and rigged coding challenges to get developers -- especially those with access to crypto wallets, exchange infrastructure, or corporate source repos -- to run malicious code on their own machines, voluntarily, because they think they're doing a job interview. Hiding the payload in an SVG is a logical evolution: image files routinely bypass the scrutiny that .exe or .js attachments get, and flag icons are exactly the kind of filler asset nobody opens or questions in a coding-test repo. The state actor doesn't need a zero-day here -- it needs one engineer who wants the job badly enough to run "npm install" without reading every file in the folder.

The SAL read: if your hiring pipeline lets candidates or contractors execute code on anything touching production, wallets, or source control, treat every take-home test and "complete this repo" exercise as untrusted code review has to happen in an isolated sandbox before a single script runs, not after.

Sources: THE HACKER NEWS
SAL SENTRY — your private AI security operations center.24/7 watch on network, cloud, endpoints, and email. Flat $999/mo. Live in 48 hours.