North Korean APT Weaponizes VS Code in Developer Recruitment Phishing Campaign

Proofpoint researchers Saher Naumaan and Carlos Rubio have documented a new wave of activity from the North Korean state-aligned threat cluster tracked as Contagious Interview (also known as Famous Chollima, HexagonalRodent, and Void Dokkaebi), codenamed UNK_DeadDrop. The campaign, observed in May and June 2026, has sent more than 250 phishing emails to individuals at nearly 100 organizations across finance, cryptocurrency, education, and technology sectors. Over 75% of the targeted entities are based in the United States, with additional victims located in the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands. Lures initially posed as developer job recruitment or cryptocurrency projects, and later pivoted to requests for code review of open-source repositories.

The infection chain begins with emails containing links to actor-controlled GitHub repositories disguised as technical assignments. Victims are instructed to clone the repository and open it in Visual Studio Code or Cursor, which triggers malicious execution through the "runOn: folderOpen" VS Code setting. This technique, adopted by the group since December 2025, requires no user interaction beyond opening the project. The staged loader — a shell script on macOS and Linux, and a VBScript on Windows — installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service. The extension beacons to the external command-and-control server at 23.137.105[.]75:5173, enabling remote command execution, system reconnaissance, credential harvesting, and data theft from browser wallet extensions and desktop wallet applications. Linux and macOS payloads additionally deploy a custom build of the open-source Go-based Overlord framework, and prompt users for their system password via a fake security dialog.

Geopolitical attribution to Pyongyang is reinforced by infrastructure patterns and tradecraft consistent with prior Contagious Interview operations. Developers and security teams who suspect they may have cloned or executed one of these repositories should immediately audit their GitHub activity, run a credential sweep using an email breach checker, and verify the integrity of any stored passwords with a password checker. Investigating suspicious repository domains or C2 infrastructure can be done quickly with a WHOIS lookup. As state-sponsored APTs continue to blur the line between developer tooling and malware delivery, organizations handling cryptocurrency assets and proprietary code should enforce code-signing policies, restrict unsigned VSIX installations, and require multi-factor authentication on all source-control and wallet accounts.