More than 250 emails, sent over six weeks in April and May, landed in the inboxes of developers at almost 100 organizations — primarily in the United States — as part of a phishing campaign Proofpoint researchers have tracked as UNK_DeadDrop.
Scope and scale of UNK_DeadDrop
Proofpoint threat researchers Saher Naumaan and Carlos Rubio say the campaign targeted professionals across technology, education, business services, and financial services. The operation sent over 250 recruitment-themed messages to people at nearly 100 organizations in a concentrated six-week window, and the vendor is treating UNK_DeadDrop as an independent cluster distinct from previous activity such as Contagious Interview.
According to the researchers, differences supporting that separation include a shift from social-media-driven interview scams to high-volume email, industrialized creation of malicious GitHub repositories, a new self-contained payload, and distinct delivery infrastructure.
Spoofed companies, lures, and GitHub repositories
The emails were presented as legitimate job offers for developer roles — listings like “Full-Stack Engineer” and “Agent Lead Developer” — and spoofed a handful of real companies. Proofpoint observed spoofed sender domains claiming affiliation with Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish.
Each message contained links to attacker-controlled GitHub repositories disguised as coding assignments or cryptocurrency-related projects. Proofpoint’s report lists 10 repositories focused on four themes: cryptocurrency platforms, exploit archives, Foundry testing, and AI payments. In May the lure shifted in some messages to unsolicited peer-review requests for open-source projects from firms named Pulsynk and Trixauvex, with a separate late-May appeal asking recipients to test an ERC-4626 vault in Foundry.
The VS Code VSIX vector and cross-platform loaders
All emails directed recipients to clone a repository and open it in a code editor such as Visual Studio Code or Cursor. When a target opened a pre-configured project folder, a silent task executed and triggered a platform-specific loader that decoded embedded payloads. That loader proceeded to install a malicious VS Code extension (VSIX) masquerading as a legitimate Google service.
On macOS and Linux the VSIX extension persists: every time the user opens the editor it activates and relaunches the infection chain if it isn't already running. Proofpoint notes that the persistence mechanism does not work on Windows; the infection chain there runs inside the editor’s Electron process instead.
Linux and macOS backdoors built on Overlord C2
The Linux and macOS payloads are native Go binaries built on the open-source Overlord command-and-control framework. Proofpoint says the attackers added three custom modules to Overlord for this campaign: browserlogin (for Chrome and Firefox credential theft), companywallet (a crypto-wallet stealer and exfiltration module), and cleanup (to remove workspace artifacts).
On macOS, Overlord first collects wallet-extension data, browser profile artifacts, and standalone wallet directories, compressing them into a ZIP and uploading it to the C2 server. Five minutes later the malware deploys a secondary embedded Mach-O binary that displays a fake system dialog prompting the user for their password. If validated, the malicious process modifies keychain access-control lists across Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and other Chromium-based browsers, extracts Safe Storage keys, and sends credentials, Safe Storage keys, and keychain data to the attacker-controlled server. Proofpoint adds that the backdoor then re-launches itself as root using the stolen password.
Linux follows a similar sequence: wallet data is exfiltrated first, then Zenity is used to prompt for credentials; the malware attempts to steal passwords from GNOME Keyring by spawning Python 3 processes for each browser and likewise seeks root re-launch with the harvested password.
Windows pipeline: JavaScript in Electron, Python stealers, and exfiltration
Windows infections run entirely as JavaScript inside the editor’s Electron process (appearing as Code.exe). The Windows malware targets 35 wallet extension IDs — including MetaMask, Phantom, Rabby, and Keplr — and 18 standalone wallet applications such as Exodus, Electrum, Ledger Live, Monero, Solana CLI, and Bitcoin, and it also collects Firefox profiles.
Proofpoint describes a multi-stage Windows routine that installs Python and executes a stealer (detect_malware.py) for each browser profile. The pipeline collects credentials across Chromium and Firefox, steals cookies from Chrome/Edge/Brave, and uses COM Elevation Moniker to access credentials in browsers protected by App-Bound Encryption. The malware attempts to read locked databases using five cascade methods before uploading all stolen secrets to the same exfiltration endpoint and terminating.
What this means for developers, employers, and security teams
- Developers: Proofpoint’s findings underscore a targeted shift at engineers and open-source contributors — the attack asks recipients to run code locally and open projects in editors, making the act of cloning and launching seemingly routine code a high-risk trigger.
- Employers and affected organizations: The campaign’s high volume and repository-based delivery model suggest adversaries are scaling operations; organizations should assume recruitment-themed email from unknown senders may carry repository links that execute tasks automatically.
- Security teams: The campaign uses cross-platform techniques and shared C2/exfiltration endpoints across macOS, Linux, and Windows, with distinct payload behavior per OS. Detection strategies may need to include monitoring for unexpected VSIX installations, anomalous child processes spawned from code editors, and unexpected exfiltration of wallet or browser profile artifacts.
“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Naumaan and Rubio wrote, concluding that the move from active social engineering on platforms like LinkedIn to large-scale, email-driven repository attacks “could indicate an actor industrializing and scaling operations.” The question left by the technical detail is practical: when routine developer workflows become an entry vector, who — inside or outside an organization — will change them first?
