North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers

Proofpoint researchers attribute an active campaign called UNK_DeadDrop to a North Korea–aligned actor that targets developers by sending phishing messages containing links to attacker-controlled GitHub/GitLab repositories; hidden .vscode/tasks.json entries and malicious VSIX extensions trigger a cross-platform Overlord backdoor and credential-stealing components that exfiltrate browser credentials and cryptocurrency wallets. The report details targeting (≈250 emails to ~100 organizations), platform-specific credential prompts and DPAPI/Keyring theft techniques, and provides a long list of IoCs (IPs, domains, emails, repository URLs, and SHA256 hashes) plus basic mitigation advice for developer environments.