North Korean Hackers Target Developers with Fake Coding Tasks for Crypto Theft
A likely North Korean threat actor is using deceptive coding assignments distributed via GitHub and GitLab to trick software developers into downloading malware designed to steal cryptocurrency and credentials.
A sophisticated campaign, tracked by cybersecurity firm Proofpoint as UNK_DeadDrop, has targeted nearly 100 organizations by sending over 250 phishing emails in April and May 2026. The primary targets are software developers in the technology, education, and finance sectors, with a particular focus on cryptocurrency firms. The attackers' ultimate goal is to illicitly acquire cryptocurrency and sensitive user credentials.
The campaign employs a multi-stage approach, beginning with emails that direct recipients to either GitHub or GitLab repositories. These repositories are presented as legitimate coding assignments, job tasks, or code-review requests. Developers are instructed to clone the repository and open it in their integrated development environment (IDE), such as VS Code or Cursor. The pretexts vary, including roles like full-stack developer or "agent lead," requests to peer-review open-source code, and tasks related to testing smart contracts or building AI payment agents.
Once the repository is cloned and opened in the IDE, a hidden tasks.json file is triggered. This file exploits a feature within the IDE to execute malicious code. While VS Code displays a trust prompt to the user, the Cursor IDE reportedly executes the payload silently without any user interaction. This initial execution is designed to install a malicious VS Code extension that masqueraves as a legitimate Google service. This extension is capable of relaunching the malware whenever the IDE is reopened on macOS or Linux systems.
The malware's functionality diverges slightly based on the operating system. On macOS and Linux, it deploys a Go-based remote access trojan (RAT) derived from the open-source Overlord framework. For Windows systems, the malware operates as JavaScript directly within the IDE, leaving no discernible files on the disk, which aids in its stealth. Regardless of the platform, the core objective remains the same: to exfiltrate cryptocurrency and credentials.
The malware is designed to scan for and steal data from browser profiles and a wide array of cryptocurrency wallets. This includes popular browser-based wallet extensions like MetaMask, Phantom, and Keplr, as well as desktop wallet applications such as Exodus, Electrum, and Ledger Live. It also targets saved passwords and cookies from major web browsers including Chrome, Brave, Edge, and Firefox.
To bypass security measures and access protected secrets, the macOS and Linux variants of the malware present a fake password dialog to the user. Upon capturing the entered password, it relaunches with root privileges to dump the system's keychain or keyring. The Windows variant employs a different tactic, bypassing Chrome's built-in app-bound encryption to access stored credentials. After successfully uploading the stolen data, the malware attempts to erase its traces by deleting any files it created.
Proofpoint notes that while this campaign exhibits similarities to the long-running North Korean operation known as Contagious Interview, which also targets developers with fake recruiters, UNK_DeadDrop is being tracked as a separate cluster. Key differentiators cited by Proofpoint include the email-centric delivery, the large-scale creation of repositories, and a self-contained payload architecture that is resilient to infrastructure takedowns. This indicates a persistent and evolving threat from North Korean-aligned actors targeting the software development community.