North Korean Hackers Exploit Fake Coding Tasks to Target U.S. Cryptocurrency Firms
A recent analysis by Proofpoint has uncovered a campaign by a likely North Korean threat actor targeting U.S.-based software developers with fake job and code-review lures. The campaign, tracked as UNK_DeadDrop, involved sending over 250 emails in April and May 2026 to individuals in technology, education, and finance sectors, particularly those associated with cryptocurrency firms. The emails contained links to GitHub or GitLab repositories disguised as coding assignments. Upon opening these repositories in editors like VS Code or Cursor, a hidden tasks.json file would execute, installing a malicious VS Code extension. This extension, posing as a Google service, relaunches malware whenever the editor reopens on macOS or Linux. The malware's primary goal is to drain cryptocurrency and credentials by scanning for browser data and cryptocurrency wallets. The campaign is noted for its industrial scale of repository creation and a self-contained payload that survives infrastructure takedowns. 
