Malicious GitHub Repositories as Entry Points
Researchers at Proofpoint have uncovered a campaign, tracked as UNK_DeadDrop, targeting nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The threat actors send phishing emails containing links to GitHub repositories that masquerade as technical coding assignments or cryptocurrency related projects. Targets are instructed to clone the repository and open it in Microsoft Visual Studio Code or the Cursor editor. Once opened, the VS Code project automatically executes malicious code using the ‘runOn: folderOpen’ technique, which requires no further user interaction. This method has been used by the North Korean threat cluster known as Contagious Interview since December 2025.
Cross Platform Malware Deployment
The infection chains deliver operating system specific malware loaders for macOS, Linux, and Windows. For macOS and Linux systems, a shell script installs a malicious VS Code extension that masquerades as a legitimate Google service. This extension communicates with an external server to enable remote command execution, system reconnaissance, and data theft from browser wallet extensions, credentials, and desktop wallet applications. The Linux and macOS pipelines deploy a customized version of the open source Overlord framework. On Windows, the attack uses a VBScript payload that runs a CMD file, which then installs the extension and exfiltrates stolen data via HTTP POST requests to a command and control server. Unlike the macOS and Linux agents, the Windows pipeline does not maintain a persistent connection after uploading stolen data.
Evolving Tactics and Additional Campaigns
Proofpoint distinguishes UNK_DeadDrop from previous Contagious Interview activity due to differences in initial access methods and the use of the Overlord framework instead of custom malware families like BeaverTail or InvisibleFerret. The shift from active social engineering on platforms like LinkedIn to large email based phishing campaigns suggests the threat actor is industrializing operations. Separately, security firm Yeeth Security discovered three malicious VS Code extensions on the official marketplace that function as multi stage backdoors, using Microsoft Graph API and SharePoint for command and control. Other related campaigns include malicious npm packages delivering information stealers, worm like attacks using VS Code task files, and the use of compromised Packagist packages targeting PHP developers. These activities indicate a sustained and evolving effort by North Korean aligned groups to compromise software developers and gain access to sensitive systems.
Source: https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
