North Korean Hackers Target Developers With Malicious VS Code Extensions

North Korean hackers are using fake developer recruitment emails and poisoned GitHub repositories to deliver malware through Microsoft Visual Studio Code. Researchers at Proofpoint have identified the campaign, tracked as UNK_DeadDrop, targeting nearly 100 organizations across finance, cryptocurrency, education, and technology sectors.

According to a report published June 15 by Proofpoint, the threat actor sent more than 250 emails over a six-week period. Over 75 percent of targeted entities are in the United States, with additional victims in the United Kingdom, Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands.

VS Code Projects With Silent Execution Triggers

The infection chain starts with emails containing links to actor-controlled GitHub repositories that masquerade as technical assignments or cryptocurrency projects. Recipients are instructed to clone the repository and open it in VS Code or Cursor. The repositories use the runOn: folderOpen technique to execute malicious code automatically without any user interaction, a method the Contagious Interview cluster has used since December 2025.

• Linux and macOS targets receive a shell script loader that installs a malicious VS Code extension disguised as a legitimate Google service
• Windows targets receive a VBScript loader that runs a CMD file before installing the extension
• The macOS and Linux agents use a custom version of the open-source Overlord Go framework for data theft
• The Windows pipeline does not maintain a persistent connection: it uploads ZIP files, performs cleanup, and terminates
• Exfiltrated data includes credentials, browser wallet extensions, and desktop wallet applications

Implications for Developer Supply Chain Security

Proofpoint distinguishes UNK_DeadDrop from previous Contagious Interview campaigns because it uses email rather than LinkedIn for initial access and relies on the Overlord framework rather than custom malware families such as BeaverTail, InvisibleFerret, and OtterCookie. The shift from active social engineering to large scale phishing campaigns indicates an actor industrializing operations, Proofpoint researchers Saher Naumaan and Carlos Rubio noted.

Separately, Yeeth Security discovered three malicious VS Code extensions on the official marketplace that function as multi-stage backdoors using Microsoft Graph API and SharePoint for command-and-control communications. While no direct link to the North Korean campaign has been established, the parallel discovery underscores the growing risk facing developers relying on code editor extensions.