A likely North Korean threat actor has phished software developers at almost 100 organizations with fake job and code-review lures to steal cryptocurrency and credentials.
According to new analysis from Proofpoint, which tracks the cluster as UNK_DeadDrop, the campaign sent more than 250 emails in April and May 2026. Targets were mostly US-based and worked in technology, education or finance, with a focus on cryptocurrency firms.
Each email linked to a GitHub or GitLab repository dressed up as a coding assignment, with instructions to clone it and open the folder in an editor such as VS Code or Cursor.
The pretexts shifted across the weeks: jobs for full-stack and “agent lead” developer roles, requests to peer-review open-source code, a task to test an ERC-4626 smart-contract vault in Foundry and a project building AI payment agents.
Read more on DPRK cryptocurrency theft: North Korean Hackers Use EtherHiding to Steal Crypto
Inside each repository sits a hidden tasks.json file rigged to run the instant the folder opens, abusing a legitimate editor feature. VS Code at least shows a trust prompt; Cursor shows none, running the payload silently with no interaction.
The script installs a malicious VS Code extension posing as a Google service, which relaunches the malware whenever the editor reopens on macOS or Linux.
The chains then split, with Linux and macOS getting a Go remote access trojan from the open-source Overlord framework, while the Windows version runs as JavaScript inside the editor itself, leaving no file on disk.
Fake Prompts and Drained Wallets
Whatever the platform, the goal is the same: drain cryptocurrency and credentials. The malware scans for browser data and a long list of cryptocurrency wallets, including:
-
Browser-based wallet extensions such as MetaMask, Phantom and Keplr
-
Desktop wallet apps including Exodus, Electrum and Ledger Live
-
Saved passwords and cookies from Chrome, Brave, Edge and Firefox
To reach protected secrets, the macOS and Linux versions show a fake password dialog, then reuse the captured password to relaunch as root and dump the keychain or keyring. The Windows variant instead bypasses Chrome’s app-bound encryption. After uploading the haul, the loader deletes its files to cover its tracks.
Proofpoint said they saw clear echoes of Contagious Interview, the long-running North Korean operation that baits developers with fake recruiters, but is tracking UNK_DeadDrop separately. The team cited the campaign’s email-led delivery, the industrial scale of repository creation and a self-contained payload that survives infrastructure takedowns as key differentiators.
“While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster,” the company concluded.
North Korea-aligned crews have targeted developers this way since at least 2022, using fake recruiter personas and poisoned developer tools.
