North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers

North Korea-aligned hackers are once again targeting the developer community, this time by hiding malicious code inside seemingly legitimate GitHub repositories.

The campaign, tracked under the name UNK_DeadDrop, uses fake job offers and code review requests to lure developers into cloning infected repositories and unknowingly executing malware on their own machines.

The threat actor sent over 250 phishing emails to individuals across nearly 100 organizations between April and May 2026.

Finance, cryptocurrency, education, and technology companies were among the primary targets, with most of the affected organizations based in the United States.

The attackers used convincing fake company names and professional sender domains to make their outreach appear legitimate.

Analysts at Proofpoint said in a report shared with Cyber Security News (CSN) that the activity is likely carried out by a North Korea-aligned threat actor and is being tracked as a distinct cluster.

The researchers noted strong overlaps with a previously known group called Contagious Interview, though no direct infrastructure overlap was found in Proofpoint telemetry.

The malware deployed through this campaign is cross-platform, capable of running on macOS, Linux, and Windows. It leverages an open-source Go framework called Overlord to maintain persistent connections to a command-and-control server.

The infection chain enables remote access, credential theft, cryptocurrency wallet draining, and browser data exfiltration.

What makes this campaign especially dangerous is how naturally it blends into a developer’s everyday workflow.

A developer who receives what looks like a legitimate technical assignment email would likely clone a repository and open it in their code editor without a second thought, which is precisely where the attack begins.

How GitHub Repositories Are Being Used as Weapons

The attack begins with a phishing email pointing to a GitHub or GitLab repository that mimics a real coding project.

The emails look like job recruitment messages or code review requests from companies such as Pulsynk, Trixauvex, or Ondo Finance, all of which are either spoofed identities or completely fabricated entities.

When a developer clones the repository and opens it in Visual Studio Code or Cursor, a hidden file called tasks.json inside a concealed .vscode folder automatically runs malicious scripts.

On macOS and Linux, the script installs a malicious VS Code extension (VSIX) disguised as a Google service, then launches the Overlord backdoor. On Windows, the payload runs entirely within the editor’s own process, with no binary dropped to disk, making it harder to detect.

The use of VS Code’s task automation is a clever tactic since the behavior appears completely normal inside a developer environment. Cursor, in particular, executes the hidden task with zero user prompts, making the attack entirely silent on that platform.

Credential Theft Across All Platforms

Once the malware establishes a foothold, it shifts toward stealing everything of value. On macOS, a secondary embedded binary called darwin-password-prompt presents a fake system dialog asking the user for their device password.

After the password is collected and validated, the malware modifies browser keychain access and dumps credentials from Chrome, Brave, Edge, Opera, and several other browsers.

On Linux, the malware uses a native system dialog tool called Zenity to create a similar fake prompt and targets GNOME Keyring credentials using Python scripts.

On Windows, it takes a more technical path that includes bypassing App-Bound Encryption in Chromium browsers and extracting credentials using DPAPI. The Windows variant targets 35 cryptocurrency wallet extensions, 18 standalone wallet applications, and browser cookies.

All collected data, including wallet contents, Safe Storage keys, login credentials, and browser cookies, is packaged into a ZIP file and uploaded to the attacker-controlled server at 23.137.105[.]75:5173.

Developers handling high-value cryptocurrency accounts or working within the DeFi and blockchain space face the highest risk.

Security teams are advised to review any developer-facing repositories for hidden .vscode folders and unexpected tasks.json files before opening them in any IDE.

Organizations should also restrict VS Code’s automatic task execution settings and monitor outbound connections for unusual traffic to unknown WebSocket endpoints.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	23.137.105[.]75	C&C server IP (port 5173)
IP Address	170.205.29[.]83	Sender IP (April 2026)
IP Address	170.205.30[.]227	Sender IP (April 2026)
Domain	ondofinance[.]tech	Sender domain (April 2026)
Domain	empowerpharmacy[.]space	Sender domain (April 2026)
Domain	nxlog[.]tech	Sender domain (April 2026)
Domain	pulsynk[.]org	Sender domain (May 2026)
Domain	trixauvex[.]org	Sender domain (May 2026)
Domain	trixauvexnet[.]ink	Sender domain (May 2026)
Domain	contacttrixauvex[.]ink	Sender domain (May 2026)
Domain	mailtrixauvex[.]ink	Sender domain (May 2026)
Domain	mailpulsynk[.]xyz	Sender domain (May 2026)
Domain	onoplanoai[.]ink	Sender domain (May 2026)
Domain	predicttocareer[.]space	Sender domain (May 2026)
Domain	recruitvex[.]us	Sender domain (May 2026)
Domain	mailpredicttogether[.]ink	Sender domain (May 2026)
Domain	nowurisch[.]fit	Sender domain (May 2026)
Domain	hyperdevpipline[.]org	Sender domain (May 2026)
Domain	valorecuiting[.]online	Sender domain (April 2026)
Domain	migadyn[.]info	Sender domain (April 2026)
Domain	nemesistrade[.]work	Related infrastructure (May 2026)
Domain	ceronet[.]work	Related infrastructure (May 2026)
Domain	deep-ai-guard[.]store	Related infrastructure (May 2026)
Domain	ceronetwork[.]org	Related infrastructure (May 2026)
Domain	culyrax[.]us	Related infrastructure (May 2026)
Domain	nemesis[.]work	Related infrastructure (May 2026)
URL	hxxps://github[.]com/Pulsynk/pulsynk	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/Trixauvex-org/trixauvex	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/PedrinPY/rekt-db	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/wayout4u/rekt-db	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/Stomp47/rekt-db	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/sr-werney/forge-4626-invariants	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/ziobiri/forge-4626-invariants	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/mireles343/forge-4626-invariants	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/skyjum/x402-kit	Attacker-controlled GitHub repository
URL	hxxps://github[.]com/rkama411/x402-kit	Attacker-controlled GitHub repository
URL	hxxps://gitlab[.]com/pulsynk-org/rekt-db.git	Attacker-controlled GitLab repository
URL	hxxps://gitlab[.]com/trixauvex-org/x402-kit.git	Attacker-controlled GitLab repository
URL	hxxps://gitlab[.]com/predict-together/forge-4626-invariants.git	Attacker-controlled GitLab repository
SHA256	35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e	settings.json
SHA256	c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b	tasks.json
SHA256	4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78	run-update-hidden-launch.vbs
SHA256	62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb	run-update.cmd
SHA256	d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10	gus-node-bootstrap.js
SHA256	91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa	windows-agent-node.js.enc
SHA256	6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0	windows-js-pipeline.js.enc
SHA256	2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f	detect_malware.py.enc
SHA256	52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7	google-update-support.vsix
SHA256	d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e	extension.js
SHA256	734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f	run-update.sh
SHA256	e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667	google-update-support-agent.zip
SHA256	a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86	google-update-support-linux-amd64
SHA256	bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81	google-update-support-darwin-amd64
SHA256	339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943	google-update-support-darwin-arm64
SHA256	808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619	darwin-password-prompt
Email	gusb@ondofinance[.]tech	Attacker-controlled email (April 2026)
Email	dalbir@empowerpharmacy[.]space	Attacker-controlled email (April 2026)
Email	alex@contacttrixauvex[.]ink	Attacker-controlled email (May 2026)
Email	alex@pulsynk[.]org	Attacker-controlled email (May 2026)
Email	alex@trixauvexnet[.]ink	Attacker-controlled email (May 2026)
Email	[email protected][.]ink	Attacker-controlled email (May 2026)
Email	[email protected][.]org	Attacker-controlled email (May 2026)
Email	[email protected][.]xyz	Attacker-controlled email (May 2026)
Email	[email protected][.]us	Attacker-controlled email (May 2026)
Email	[email protected][.]ink	Attacker-controlled email (May 2026)
Email	[email protected][.]org	Attacker-controlled email (May 2026)
Email	[email protected][.]ink	Attacker-controlled email (May 2026)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.