North Korean Hackers Weaponize Developer Tools Like VS Code and GitHub to Deliver Cross-Platform Malware Globally

Cybersecurity researchers have uncovered multiple malicious campaigns linked to a North Korean threat group known as Contagious Interview (also tracked under names such as Famous Chollima, HexagonalRodent, and Void Dokkaebi). The attacks show an increasing focus on targeting software developers through fake recruitment processes and compromised development tools.

According to research from Proofpoint, the campaign—tracked as UNK_DeadDrop—has been actively sending phishing emails disguised as job offers or technical coding assignments. These emails direct victims to attacker-controlled GitHub repositories that contain malicious code. Once cloned and opened, the repositories trigger malware execution across Windows, macOS, and Linux systems.

The malware delivery chain relies heavily on developer workflows. Victims are instructed to open projects in tools like Visual Studio Code or Cursor, where hidden automation features such as “runOn: folderOpen” execute malicious scripts without requiring further interaction. The payloads deploy loaders and an open-source Go-based framework known as Overlord, enabling remote access and data theft.

Global Targeting and Scale

Researchers found that more than 250 phishing emails were sent over a six-week period, targeting nearly 100 organizations across industries including finance, cryptocurrency, education, and technology. Over 75% of victims were based in the United States, with additional targets in countries such as the UK, India, Germany, Japan, Israel, and others.

The attackers used fake coding assignments and cryptocurrency-related projects to lure developers into cloning repositories and running malicious environments. Later variants shifted toward fake “code review” requests to increase credibility.

Malware Capabilities and Infection Chain

The attack begins with a loader script that varies by operating system. On macOS and Linux, shell scripts are used, while Windows systems receive VBScript-based loaders. These components install malicious Visual Studio Code extensions disguised as legitimate services.

Once installed, the malware enables remote command execution, system reconnaissance, and data theft. It specifically targets browser-stored credentials, cryptocurrency wallets, and desktop wallet applications.

The Linux and macOS variants deploy a modified version of the Overlord framework, while Windows systems execute commands via CMD scripts that install the malicious extension. The final goal is consistent across all platforms: steal sensitive credentials and exfiltrate them to attacker-controlled servers.

Evasion and Persistence Techniques

The malicious VS Code extensions use legitimate cloud and developer APIs, including Microsoft Graph and SharePoint, to communicate with command-and-control servers. This allows attackers to blend malicious traffic with normal enterprise activity.

Researchers also identified additional malicious VS Code extensions found on official marketplaces. These extensions posed as productivity tools for Jupyter notebooks but actually functioned as multi-stage backdoors with file execution and remote control capabilities.

These tools allowed attackers to:

• Read, write, and exfiltrate files
• Execute system commands
• Harvest credentials and wallet data
• Maintain persistent access through remote infrastructure

Related Campaigns and Broader Threat Activity

Security analysts have also observed related North Korean cyber activity involving:

• Malicious npm packages used in cryptocurrency-related supply chain attacks
• GitHub-based worm-like propagation using VS Code tasks and repository hooks
• Compromised developer environments injecting malicious code into legitimate projects
• Fake job recruitment campaigns on platforms like LinkedIn
• Use of AI-assisted tools to generate malware loaders and improve phishing operations

In several cases, attackers abused developer tools such as .githooks, tasks.json, and package dependencies to trigger automatic execution when repositories were opened or cloned.

Financial and Strategic Impact

Reports suggest these campaigns have already resulted in significant cryptocurrency theft, with losses estimated in the millions of dollars in early 2026 alone. Thousands of developer systems and wallets may have been affected across multiple waves of attacks.

Security experts warn that the operations are becoming more industrialized, with multiple coordinated teams, reusable infrastructure, and evolving malware families such as BeaverTail, OtterCookie, and InvisibleFerret.

Conclusion

Researchers conclude that North Korean-aligned threat actors are rapidly evolving their tactics, shifting from traditional phishing methods to highly sophisticated developer-targeted supply chain attacks. By exploiting trusted tools and workflows, they are turning everyday development environments into powerful malware delivery systems.