UNK_DeadDrop campaign: a focused phishing run
Proofpoint, which is tracking the activity under the cluster name UNK_DeadDrop, reported the campaign sent more than 250 emails over April and May 2026 to almost 100 organizations. Targets were mostly US-based and concentrated in technology, education and finance, with a particular focus on cryptocurrency firms. Each message linked to a GitHub or GitLab repository presented as a coding assignment or code-review request.
Poisoned repositories on GitHub and GitLab
The lure varied across the campaign: recruiters and job offers for full-stack and "agent lead" developer roles, invitations to peer-review open-source code, a task to test an ERC-4626 smart-contract vault in Foundry, and a project described as building AI payment agents. Recipients were instructed to clone the repository and open the project folder in an editor such as VS Code or Cursor. Inside each repository sat a hidden tasks.json file engineered to run the moment the folder was opened.
Editor abuse: VS Code, Cursor and a fake Google extension
The attackers exploited legitimate editor features. Proofpoint observed that VS Code at least shows a trust prompt when an external task attempts to run; Cursor, in contrast, runs the payload silently with no interaction. The initial script installs a malicious VS Code extension posing as a Google service. On macOS and Linux that extension relaunches the malware whenever the editor reopens. According to Proofpoint, the design makes the payload self-contained and resilient even if infrastructure is taken down.
Payloads, the Overlord framework and cross-platform theft
From the loader the campaign split by platform. On Linux and macOS, victims received a Go remote access trojan (RAT) built from the open-source Overlord framework. On Windows, the malicious activity ran as JavaScript inside the editor itself, leaving no file on disk. Regardless of platform, the end goal was the same: steal cryptocurrency and credentials.
Proofpoint detailed what the malware looks for. It scans for browser data and a wide set of cryptocurrency wallets, including browser-based extensions such as MetaMask, Phantom and Keplr and desktop applications including Exodus, Electrum and Ledger Live. It also targets saved passwords and cookies from Chrome, Brave, Edge and Firefox.
To reach protected secrets, the macOS and Linux variants present a fake password dialog and then reuse the captured password to relaunch as root and dump the system keychain or keyring. The Windows variant bypasses Chrome's app-bound encryption. After uploading harvested data to the attackers, the loader deletes its files to cover its tracks.
Echoes of Contagious Interview and attribution
Proofpoint noted clear echoes of Contagious Interview, a long-running North Korea-aligned operation that has baited developers with fake recruiters and poisoned developer tools since at least 2022. However, Proofpoint is tracking UNK_DeadDrop as a separate cluster, citing the campaign's email-led delivery, the industrial scale of repository creation and a self-contained payload that survives infrastructure takedowns as key differentiators. "While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster," the company concluded.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Watch for repository-based lures that include hidden tasks.json files and monitor for unexpected editor-installed extensions — notably ones purporting to be Google services. Pay attention to platform-specific behaviors described by Proofpoint, including Overlord-based Go RATs on macOS/Linux and JavaScript loaders running inside editors on Windows.
- Affected enterprises and procurement leaders: Expect adversaries to scale by creating many repositories and sending targeted, email-led recruitment-style lures. Firms in technology, education, finance and the crypto sector should prioritize vetting code sources and consider blocking or inspecting repository clones linked from unsolicited job or review requests.
- End users and general public: Be cautious of unexpected coding tasks and review editor prompts carefully — Proofpoint observed that Cursor runs payloads without a trust prompt and that fake password dialogs are used on macOS and Linux to harvest credentials and relaunch with elevated privileges.
Proofpoint's findings show a campaign that blends social engineering familiar to developer communities with technical tricks that exploit trusted tooling. The operation's emphasis on repository-scale distribution and self-contained payloads raises a particular risk for organizations that rely on rapid code review or accept cloned projects from unvetted sources. With attribution unconfirmed but operational similarities to earlier North Korea-aligned activity, the cluster remains active and under ongoing observation.
Original report: https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/
