A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows.
Why it matters: Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.
2026.06.08
100% relevant
This article appears to be the first tracked report establishing Proofpoint's UNK_DeadDrop campaign as a distinct, likely DPRK-linked operation using fake job offers and code-review lures against developers.
← Back to all stories