[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAu2RiVVEORMdujcJHIa1ZJBVViuP9X2tIfZh96NfoWg":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"40ac99f8-2f07-4655-a622-709daf4044bc","North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels","north-korean-hackers-are-turning-developer-tools-into-malware-delivery-channels-b278cc","Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes","North Korean threat actors are using phishing campaigns that mimic developer recruitment and code review themes to distribute cross-platform malware. The campaigns, codenamed UNK_DeadDrop, leverage malicious scripts within GitHub repositories and a \"runOn: folderOpen\" technique in VS Code projects to execute malware on macOS, Linux, and Windows systems, aiming to steal credentials and data from cryptocurrency wallets.","North Korean hackers exploit developer tools like VS Code to deliver malware.","North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels Ravie LakshmananJun 15, 2026Malware \u002F Supply Chain Attack Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. The activity has been codenamed UNK_DeadDrop. \"The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord,\" Proofpoint researchers Saher Naumaan and Carlos Rubio said. A crucial aspect connecting the campaign to Pyongyang is the use of Microsoft Visual Studio Code (VS Code) projects that employ the \"runOn: folderOpen\" technique to trigger the execution of malicious code every time the code editor is opened without requiring any user interaction. This approach has been adopted by the Contagious Interview actors since December 2025. The activity documented by the enterprise security company involved more than 250 emails that were sent during a six-week period to individuals in almost 100 organizations. Over 75% of the targeted entities are located in the U.S., followed by the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands. The emails contain links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects, instructing recipients to clone the repository and open it in VS Code or Cursor, resulting in the execution of operating system-specific malware loaders for Linux, macOS, and Windows. Subsequent lures observed in May 2026 have pivoted their approach by requesting targets to review their open-source projects. The loader - a shell script for macOS and Linux and a VBScript for Windows systems - is designed to install a malicious VS Code extension (VSIX) that masquerades as a legitimate Google service, while communicating with an external server to facilitate remote command execution, system reconnaissance, and data exfiltration from browser wallet extensions, credentials, and desktop wallet apps. The Linux and macOS infection chains lead to a custom version of the open-source Overlord framework with capabilities to enable data theft. It also prompts users to enter their system password using a fake security pop-up. The Windows attack chain, on the other hand, relies on the VBScript payload to run a CMD file, which then installs the extension. The end goal remains the same: to steal credentials and data from wallet browser extensions and applications, and exfiltrate the results to the server (\"23.137.105[.]75:5173\") via an HTTP POST request. \"Unlike the Linux\u002FmacOS agent, the Windows pipeline does not maintain a persistent connection; it uploads the ZIP files, performs cleanup, and terminates,\" Proofpoint said. Further analysis has uncovered that the threat actor previously distributed a Windows Go binary of Overlord, but has since shifted to the new method, likely in an attempt to avoid detection. Proofpoint said it's tracking UNK_DeadDrop as distinct from Contagious Interview due to differences in initial access methods (LinkedIn vs. email) and the use of the Overlord framework, which is different from the custom malware families the North Korean hacking group has traditionally deployed, including BeaverTail, InvisibleFerret, and OtterCookie. \"UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,\" the company said. \"The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.\" The disclosure comes as Yeeth Security said it discovered three malicious VS Code extensions named \"ByteBinTools.jupyter-powerdev-2026.6.8.vsix,\" ToolCraft.jupyter-powertools-3.21.0.vsix,\" and \"OLDev.markdown-mode-devtools-2.1.0.vsix\" on the official marketplace that are dressed up as seemingly harmless Jupyter Notebook productivity tools, but are, in fact, a \"sophisticated, multi-stage backdoor\" engineered to bypass endpoint defenses. The malware supports the following functions - A SharePoint site functioning as a command queue, victim registry, and exfiltration channel A JavaScript layer that handles all command-and-control (C2) communication via Microsoft Graph API and SharePoint to Components enabling arbitrary file read, write, and exfiltration, as well as code execution using a Windows executable and a Python script for Linux and macOS The C2 channel, besides running commands or scripts, can issue a third command type called \"host_action,\" which facilitates file system operations like pwd, ls, cd, and cat, along with file upload and downloads. Although there exists no direct overlap with any publicly documented North Korean campaign, Yeeth Security said the developer tooling split between JavaScript and Python has its echoes in Contagious Interview, and that the malicious artifacts' Microsoft Graph API authentication mechanism shares some similarities with the Lazarus Group's Dream Job attacks detailed by S2 Grupo LAB52 in October 2025. The findings dovetail with the discovery of multiple campaigns linked to the North Korean threat actors in recent months - A follow-up to the Axios supply chain attack using three malicious npm packages (redeem-onchain-sdk@1.0.7, nicegui@0.1.4, and period-newline@0.1.0) that deliver an information stealer that exfiltrates harvested data to a different C2 infrastructure. The packages are listed as dependencies on GitHub projects disguised as cryptocurrency trading bots. \"Less than 18 hours after the Axios malicious packages were removed from NPM, the first secondary payload was already live on the registry,\" OpenSourceMalware said. \"This suggests the threat actor had prepared backup infrastructure and was ready to immediately deploy alternative delivery mechanisms.\" An attack campaign codenamed TaskJacker has been delivered, dropping malicious VS Code task files into unsuspecting GitHub users' existing repositories, spreading in a worm-like fashion. \"By weaponizing VS Code's tasks.json auto-execution feature, attackers have created a scenario where simply opening a cloned repository in your IDE can compromise your system,\" the OpenSourceMalware team said. \"No user interaction required beyond a git clone and opening the folder.\" Contagious Interview's use of Git hooks (\".githooks\u002Fpre-commit\") to fire the execution of malicious code when a target clones a \"coding assessment\" repository, marking a shift from hiding the malicious code within .vscode\u002Ftasks.json or package.json files. Contagious Interview's use of a compromised Packagist package (\"roberts\u002Fleads\") to target PHP developers with a JavaScript malware loader that reaches out to blockchain and public RPC infrastructure in order to fetch, decrypt, and execute a next-stage JavaScript payload. The adversary has also leveraged its access to compromised developer systems to tamper with commits and inject multi-stage obfuscated JavaScript code to the source code files in their repositories. The final payload is a variant of the DEV#POPPER RAT. \"Void Dokkaebi's operations do not end with a single infected developer,\" Trend Micro said. \"The compromised machine becomes a launchpad, with the threat actor weaponizing the victim's own repositories and turning their code contributions into infection vectors for downstr","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnorth-korean-hackers-are-turning.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiaqLMLYAQa1ICXVdOhmxnFqqoh_YonevmQPjEtYbmqLsdFC7JJnGc_F7K1no96DjZhTicVxI7sJUO04JM3e64Ko2eh1X6NlEqpKO2Nc1MKCzDPdqlmPZzTphhJlL7ibJ1CLRsIaVBZZvWtm7mv_jXLT53iwjlRVjBnyKCypFigPA0mZzFew-02Xp_aKu9o\u002Fs1600\u002Fnorthkorea.jpg","2026-06-15T19:32:52+00:00","2026-06-15T20:00:03.163893+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"Contagious Interview","threat_actor",{"name":22,"type":20},"Famous Chollima",{"name":24,"type":20},"HexagonalRodent",{"name":26,"type":20},"Void Dokkaebi",{"name":28,"type":29},"Proofpoint","vendor",{"name":31,"type":32},"Microsoft Visual Studio Code","product","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":33,"icon":35,"name":36,"slug":37},null,"Nation-state","nation-state",[39,44,46,51],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":33,"icon":35,"name":36,"slug":37},{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,61,64,67,69],{"type":58,"value":59,"context":60},"ip","23.137.105.75","Command and control server IP address",{"type":50,"value":62,"context":63},"Overlord","Open-source Go framework used as malware",{"type":50,"value":65,"context":66},"BeaverTail","Previously used malware family by Contagious Interview",{"type":50,"value":68,"context":66},"InvisibleFerret",{"type":50,"value":70,"context":66},"OtterCookie"]