North Korea-aligned threat actors are increasingly refining their cyber operations, with new reports highlighting advanced phishing campaigns and supply chain attacks specifically targeting developers. These evolving tactics underscore a growing sophistication in Pyongyang's pursuit of financial gain and intelligence. ## UNK_DeadDrop: A New Facet of Contagious Interview **Proofpoint** has identified a new campaign, codenamed **UNK_DeadDrop**, which bears significant similarities to the notorious **Contagious Interview** group (also known as **Famous Chollima**, **HexagonalRodent**, and **Void Dokkaebi**). This campaign has been observed orchestrating phishing attacks against nearly 100 organizations across finance, cryptocurrency, education, and technology sectors. The infection chain typically begins with emails containing links to actor-controlled **GitHub** repositories. These repositories host malicious scripts that lead to the execution of cross-platform malware for **macOS**, **Linux**, and **Windows**, including a custom version of the open-source **Go** framework named **Overlord**.  A critical link to Pyongyang is the use of **Microsoft Visual Studio Code** (**VS Code**) projects that exploit the "runOn: folderOpen" technique. This method triggers the execution of malicious code every time the code editor is opened, bypassing user interaction — a tactic adopted by **Contagious Interview** since December 2025. Over a six-week period, more than 250 emails were sent, primarily targeting entities in the U.S., followed by the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands. The emails masquerade as technical assignments or cryptocurrency-related projects, instructing recipients to clone repositories and open them in **VS Code** or **Cursor**. This action executes operating system-specific malware loaders for **Linux**, **macOS**, and **Windows**. Later lures pivoted to requesting targets review open-source projects. The loaders, typically shell scripts for **macOS**/**Linux** and VBScripts for **Windows**, install a malicious **VS Code** extension disguised as a legitimate **Google** service. This extension establishes communication with an external server for remote command execution, system reconnaissance, and data exfiltration from browser wallet extensions, credentials, and desktop wallet applications. While **Proofpoint** tracks **UNK_DeadDrop** as distinct from **Contagious Interview** due to initial access methods (email vs. **LinkedIn**) and the use of the **Overlord** framework, the campaign signals a maturation of North Korea-aligned operations targeting developers for financial gain. ## Backdoored VS Code Extensions and Supply Chain Attacks Further compounding the threat, **Yeeth Security** uncovered three malicious **VS Code** extensions on the official marketplace: "ByteBinTools.jupyter-powerdev-2026.6.8.vsix," "ToolCraft.jupyter-powertools-3.21.0.vsix," and "OLDev.markdown-mode-devtools-2.1.0.vsix." These extensions, disguised as **Jupyter Notebook** productivity tools, are sophisticated, multi-stage backdoors designed to bypass endpoint defenses. Key features of this malware include: * A **SharePoint** site acting as a command queue, victim registry, and exfiltration channel. * A **JavaScript** layer handling command-and-control (**C2**) communication via **Microsoft Graph API** and **SharePoint**. * Components enabling arbitrary file read, write, and exfiltration, alongside code execution using **Windows** executables and **Python** scripts for **Linux** and **macOS**. Though not directly linked, the developer tooling split between **JavaScript** and **Python** echoes **Contagious Interview** tactics, and the **Microsoft Graph API** authentication mechanism shares similarities with the **Lazarus Group's Dream Job** attacks. These discoveries align with several recent campaigns attributed to North Korean threat actors: * A follow-up to the **Axios** supply chain attack, utilizing three malicious **npm** packages (**[email protected]**, **[email protected]**, and **[email protected]**) to deliver an information stealer. * **TaskJacker**, a worm-like campaign dropping malicious **VS Code** task files into **GitHub** repositories, exploiting **VS Code's tasks.json** auto-execution feature. * **Contagious Interview's** use of **Git hooks** (".githooks/pre-commit") to execute malicious code when a target clones a "coding assessment" repository, shifting from hiding code in `.vscode/tasks.json` or `package.json`. * A compromised **Packagist** package (**roberts/leads**) targeting **PHP** developers with a **JavaScript** malware loader that ultimately delivers a variant of the **DEV#POPPER RAT**. These incidents highlight a clear and present danger to the developer community and the broader software supply chain. Organizations and individual developers must remain vigilant, scrutinizing email links, repository sources, and the legitimacy of **VS Code** extensions, even those from official marketplaces.