Proofpoint has identified a threat cluster it calls UNK_DeadDrop that targets software developers through phishing campaigns tied to GitHub repositories and Visual Studio Code tools. The activity is likely aligned with North Korea.
The campaign reached individuals at nearly 100 organisations over six weeks, spanning technology, cryptocurrency, finance, education and other sectors. Most of the organisations were in the United States, though the targeting was global.
The operation relied on emails posing as recruiter outreach or code review requests. The messages directed recipients to attacker-controlled GitHub repositories that appeared to host legitimate coding projects or cryptocurrency-related work.
According to the findings, once a target cloned a repository and opened it in an editor such as VS Code or Cursor, a pre-configured task ran and triggered malware for macOS, Linux and Windows. The process then installed a malicious Visual Studio Code extension, or VSIX file, disguised as a Google service.
The malware was designed to contact a command-and-control server, execute remote commands, gather system information and steal browser wallet extensions, decrypted credentials and desktop wallets. The final stage removed malicious files and directories from the cloned repository while leaving the VSIX extension in place for persistence.
Developer lures
The campaign used themes closely tied to software hiring and developer workflows. Emails offered purported roles including Full-Stack Engineer and Agent Lead Developer, while others framed the interaction as a request to review code or collaborate on a project.
Spoofed brands included companies in finance, healthcare, software and online services. Among the names cited were Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon and Nourish.
The findings point to a shift in how suspected North Korean operators approach developers, who have long been attractive targets because of their access to codebases, credentials, API tokens and cryptocurrency assets. Activity linked to North Korea has, since at least 2022, used fake recruiter personas, malicious software packages and trojanised crypto trading applications to target developers and digital asset firms.
This latest cluster appears to push further into trusted developer environments. Rather than relying only on technical tests or downloads from package repositories, the attackers appear to be embedding malicious activity in coding projects and extensions that developers may see as part of normal work.
Separate cluster
Proofpoint said the activity shares traits with a known North Korean operation called Contagious Interview, which has also used fake job approaches against developers. However, it has not observed direct overlap in its own telemetry and is therefore tracking UNK_DeadDrop as a separate cluster.
The infection chain also included an open-source Go framework called Overlord, which researchers said was used in the cross-platform malware process. They added that the attackers embedded payloads rather than hosting them externally, a step that may help them avoid disruption if outside infrastructure is removed.
The scale of the email activity also stood out. Over the observed period, the attackers sent more than 250 emails to individuals at almost 100 organisations, with a particular focus on the cryptocurrency industry.
That focus reflects a broader pattern in cybercrime and state-linked hacking, where digital asset businesses and their employees remain high-value targets because of their direct access to funds and sensitive credentials. Developers can also provide an entry point into corporate systems and software supply chains.
Proofpoint said the use of malicious VSIX extensions was notable because it enabled execution and persistence with little user interaction. By leaning on familiar development tools, the attackers reduced the chance that targets would immediately see the behaviour as suspicious.
"UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving," Proofpoint said.
"The consistent creation of new GitHub repositories as well as a new malware framework with iterative builds and a stealthy new execution and persistence technique through VSIX extensions demonstrates dedicated resourcing and active development of tooling," it added.
"While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster," the company said.