North Korea-aligned hackers are once again targeting the developer community, this time by hiding malicious code inside seemingly legitimate GitHub repositories.
The campaign, tracked under the name UNK_DeadDrop, uses fake job offers and code review requests to lure developers into cloning infected repositories and unknowingly executing malware on their own machines.
The threat actor sent over 250 phishing emails to individuals across nearly 100 organizations between April and May 2026.
Finance, cryptocurrency, education, and technology companies were among the primary targets, with most of the affected organizations based in the United States.
The attackers used convincing fake company names and professional sender domains to make their outreach appear legitimate.
Analysts at Proofpoint said in a report shared with Cyber Security News (CSN) that the activity is likely carried out by a North Korea-aligned threat actor and is being tracked as a distinct cluster.
The researchers noted strong overlaps with a previously known group called Contagious Interview, though no direct infrastructure overlap was found in Proofpoint telemetry.
The malware deployed through this campaign is cross-platform, capable of running on macOS, Linux, and Windows. It leverages an open-source Go framework called Overlord to maintain persistent connections to a command-and-control server.
The infection chain enables remote access, credential theft, cryptocurrency wallet draining, and browser data exfiltration.
What makes this campaign especially dangerous is how naturally it blends into a developer’s everyday workflow.
A developer who receives what looks like a legitimate technical assignment email would likely clone a repository and open it in their code editor without a second thought, which is precisely where the attack begins.
How GitHub Repositories Are Being Used as Weapons
The attack begins with a phishing email pointing to a GitHub or GitLab repository that mimics a real coding project.
The emails look like job recruitment messages or code review requests from companies such as Pulsynk, Trixauvex, or Ondo Finance, all of which are either spoofed identities or completely fabricated entities.
When a developer clones the repository and opens it in Visual Studio Code or Cursor, a hidden file called tasks.json inside a concealed .vscode folder automatically runs malicious scripts.
On macOS and Linux, the script installs a malicious VS Code extension (VSIX) disguised as a Google service, then launches the Overlord backdoor. On Windows, the payload runs entirely within the editor’s own process, with no binary dropped to disk, making it harder to detect.
The use of VS Code’s task automation is a clever tactic since the behavior appears completely normal inside a developer environment. Cursor, in particular, executes the hidden task with zero user prompts, making the attack entirely silent on that platform.
Credential Theft Across All Platforms
Once the malware establishes a foothold, it shifts toward stealing everything of value. On macOS, a secondary embedded binary called darwin-password-prompt presents a fake system dialog asking the user for their device password.
After the password is collected and validated, the malware modifies browser keychain access and dumps credentials from Chrome, Brave, Edge, Opera, and several other browsers.
On Linux, the malware uses a native system dialog tool called Zenity to create a similar fake prompt and targets GNOME Keyring credentials using Python scripts.
On Windows, it takes a more technical path that includes bypassing App-Bound Encryption in Chromium browsers and extracting credentials using DPAPI. The Windows variant targets 35 cryptocurrency wallet extensions, 18 standalone wallet applications, and browser cookies.
All collected data, including wallet contents, Safe Storage keys, login credentials, and browser cookies, is packaged into a ZIP file and uploaded to the attacker-controlled server at 23.137.105[.]75:5173.
Developers handling high-value cryptocurrency accounts or working within the DeFi and blockchain space face the highest risk.
Security teams are advised to review any developer-facing repositories for hidden .vscode folders and unexpected tasks.json files before opening them in any IDE.
Organizations should also restrict VS Code’s automatic task execution settings and monitor outbound connections for unusual traffic to unknown WebSocket endpoints.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 23.137.105[.]75 | C&C server IP (port 5173) |
| IP Address | 170.205.29[.]83 | Sender IP (April 2026) |
| IP Address | 170.205.30[.]227 | Sender IP (April 2026) |
| Domain | ondofinance[.]tech | Sender domain (April 2026) |
| Domain | empowerpharmacy[.]space | Sender domain (April 2026) |
| Domain | nxlog[.]tech | Sender domain (April 2026) |
| Domain | pulsynk[.]org | Sender domain (May 2026) |
| Domain | trixauvex[.]org | Sender domain (May 2026) |
| Domain | trixauvexnet[.]ink | Sender domain (May 2026) |
| Domain | contacttrixauvex[.]ink | Sender domain (May 2026) |
| Domain | mailtrixauvex[.]ink | Sender domain (May 2026) |
| Domain | mailpulsynk[.]xyz | Sender domain (May 2026) |
| Domain | onoplanoai[.]ink | Sender domain (May 2026) |
| Domain | predicttocareer[.]space | Sender domain (May 2026) |
| Domain | recruitvex[.]us | Sender domain (May 2026) |
| Domain | mailpredicttogether[.]ink | Sender domain (May 2026) |
| Domain | nowurisch[.]fit | Sender domain (May 2026) |
| Domain | hyperdevpipline[.]org | Sender domain (May 2026) |
| Domain | valorecuiting[.]online | Sender domain (April 2026) |
| Domain | migadyn[.]info | Sender domain (April 2026) |
| Domain | nemesistrade[.]work | Related infrastructure (May 2026) |
| Domain | ceronet[.]work | Related infrastructure (May 2026) |
| Domain | deep-ai-guard[.]store | Related infrastructure (May 2026) |
| Domain | ceronetwork[.]org | Related infrastructure (May 2026) |
| Domain | culyrax[.]us | Related infrastructure (May 2026) |
| Domain | nemesis[.]work | Related infrastructure (May 2026) |
| URL | hxxps://github[.]com/Pulsynk/pulsynk | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/Trixauvex-org/trixauvex | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/PedrinPY/rekt-db | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/wayout4u/rekt-db | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/Stomp47/rekt-db | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/sr-werney/forge-4626-invariants | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/ziobiri/forge-4626-invariants | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/mireles343/forge-4626-invariants | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/skyjum/x402-kit | Attacker-controlled GitHub repository |
| URL | hxxps://github[.]com/rkama411/x402-kit | Attacker-controlled GitHub repository |
| URL | hxxps://gitlab[.]com/pulsynk-org/rekt-db.git | Attacker-controlled GitLab repository |
| URL | hxxps://gitlab[.]com/trixauvex-org/x402-kit.git | Attacker-controlled GitLab repository |
| URL | hxxps://gitlab[.]com/predict-together/forge-4626-invariants.git | Attacker-controlled GitLab repository |
| SHA256 | 35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e | settings.json |
| SHA256 | c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b | tasks.json |
| SHA256 | 4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78 | run-update-hidden-launch.vbs |
| SHA256 | 62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb | run-update.cmd |
| SHA256 | d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10 | gus-node-bootstrap.js |
| SHA256 | 91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa | windows-agent-node.js.enc |
| SHA256 | 6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0 | windows-js-pipeline.js.enc |
| SHA256 | 2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f | detect_malware.py.enc |
| SHA256 | 52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 | google-update-support.vsix |
| SHA256 | d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e | extension.js |
| SHA256 | 734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f | run-update.sh |
| SHA256 | e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667 | google-update-support-agent.zip |
| SHA256 | a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86 | google-update-support-linux-amd64 |
| SHA256 | bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81 | google-update-support-darwin-amd64 |
| SHA256 | 339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943 | google-update-support-darwin-arm64 |
| SHA256 | 808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619 | darwin-password-prompt |
| gusb@ondofinance[.]tech | Attacker-controlled email (April 2026) | |
| dalbir@empowerpharmacy[.]space | Attacker-controlled email (April 2026) | |
| alex@contacttrixauvex[.]ink | Attacker-controlled email (May 2026) | |
| alex@pulsynk[.]org | Attacker-controlled email (May 2026) | |
| alex@trixauvexnet[.]ink | Attacker-controlled email (May 2026) | |
| alexsnow@hr.onoplanoai[.]ink | Attacker-controlled email (May 2026) | |
| alexstone@hr.trixauvex[.]org | Attacker-controlled email (May 2026) | |
| carissae@hr.mailpulsynk[.]xyz | Attacker-controlled email (May 2026) | |
| emmaparker@hr.recruitvex[.]us | Attacker-controlled email (May 2026) | |
| faithtedesco@hr.mailtrixauvex[.]ink | Attacker-controlled email (May 2026) | |
| frankbloch@hr.trixauvex[.]org | Attacker-controlled email (May 2026) | |
| sophiareed@hr.contacttrixauvex[.]ink | Attacker-controlled email (May 2026) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
