North Korean-aligned hackers are targeting developers by embedding malicious code within seemingly legitimate GitHub repositories. This campaign, identified as UNK_DeadDrop, employs fake job offers and code review requests to entice developers into cloning infected repositories, leading to inadvertent malware execution on their systems.
Between April and May 2026, the attackers dispatched over 250 phishing emails to individuals across nearly 100 organizations, primarily in the United States. Sectors such as finance, cryptocurrency, education, and technology were notably targeted. The emails, crafted with convincing fake company names and professional sender domains, aimed to appear authentic.
According to Proofpoint, the activity is likely conducted by a North Korea-aligned threat actor and is being tracked as a distinct cluster. While there are strong overlaps with the previously known group Contagious Interview, no direct infrastructure overlap was found in Proofpoint’s telemetry.
The malware deployed in this campaign is cross-platform, capable of operating on macOS, Linux, and Windows. It utilizes an open-source Go framework called Overlord to maintain persistent connections to a command-and-control server. This setup enables remote access, credential theft, cryptocurrency wallet draining, and browser data exfiltration.
Exploitation of GitHub Repositories
The attack initiates with a phishing email directing the recipient to a GitHub or GitLab repository that mimics a legitimate coding project. These emails often masquerade as job recruitment messages or code review requests from entities like Pulsynk, Trixauvex, or Ondo Finance—either spoofed identities or entirely fabricated organizations.
Upon cloning the repository and opening it in Visual Studio Code or Cursor, a hidden file named tasks.json within a concealed .vscode folder automatically executes malicious scripts. On macOS and Linux, the script installs a malicious VS Code extension (VSIX) disguised as a Google service, then launches the Overlord backdoor. On Windows, the payload operates entirely within the editor’s process, leaving no binary on disk, which complicates detection.
The use of VS Code’s task automation is particularly insidious, as the behavior appears normal within a developer environment. Notably, Cursor executes the hidden task without user prompts, rendering the attack entirely silent on that platform.
Credential Theft Mechanisms
Once the malware is active, it employs various techniques to steal credentials across all platforms. It targets browser data, cryptocurrency wallets, and other sensitive information, facilitating unauthorized access and potential financial theft.
This campaign underscores the evolving tactics of state-sponsored threat actors, who are increasingly leveraging trusted platforms like GitHub to infiltrate developer environments. Developers should exercise heightened vigilance when receiving unsolicited project invitations or job offers, especially those involving code repositories. Implementing robust security practices, such as verifying the authenticity of sources and scrutinizing repository contents before execution, is crucial to mitigating such sophisticated threats.
Source: Cyber Security News
