惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
博客园 - 【当耐特】
Microsoft Azure Blog
Microsoft Azure Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
Cloudbric
Cloudbric
The Register - Security
The Register - Security
小众软件
小众软件
PCI Perspectives
PCI Perspectives
G
Google Developers Blog
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
TaoSecurity Blog
TaoSecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
F
Full Disclosure
N
Netflix TechBlog - Medium
博客园_首页
Last Week in AI
Last Week in AI
A
Arctic Wolf
B
Blog RSS Feed
J
Java Code Geeks
C
Cybersecurity and Infrastructure Security Agency CISA
I
InfoQ
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
MyScale Blog
MyScale Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Jina AI
Jina AI
有赞技术团队
有赞技术团队
S
Schneier on Security
L
Lohrmann on Cybersecurity
P
Privacy & Cybersecurity Law Blog
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Security Latest
Security Latest
Vercel News
Vercel News
博客园 - 司徒正美
Webroot Blog
Webroot Blog
Hacker News: Ask HN
Hacker News: Ask HN
A
About on SuperTechFans

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
The Hacker News
The Hacker News · 2026-06-16 · via The Hacker News

Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi).

According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. The activity has been codenamed UNK_DeadDrop.

"The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord," Proofpoint researchers Saher Naumaan and Carlos Rubio said.

A crucial aspect connecting the campaign to Pyongyang is the use of Microsoft Visual Studio Code (VS Code) projects that employ the "runOn: folderOpen" technique to trigger the execution of malicious code every time the code editor is opened without requiring any user interaction. This approach has been adopted by the Contagious Interview actors since December 2025.

The activity documented by the enterprise security company involved more than 250 emails that were sent during a six-week period to individuals in almost 100 organizations. Over 75% of the targeted entities are located in the U.S., followed by the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands.

Cybersecurity

The emails contain links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects, instructing recipients to clone the repository and open it in VS Code or Cursor, resulting in the execution of operating system-specific malware loaders for Linux, macOS, and Windows. Subsequent lures observed in May 2026 have pivoted their approach by requesting targets to review their open-source projects.

The loader - a shell script for macOS and Linux and a VBScript for Windows systems - is designed to install a malicious VS Code extension (VSIX) that masquerades as a legitimate Google service, while communicating with an external server to facilitate remote command execution, system reconnaissance, and data exfiltration from browser wallet extensions, credentials, and desktop wallet apps.

The Linux and macOS infection chains lead to a custom version of the open-source Overlord framework with capabilities to enable data theft. It also prompts users to enter their system password using a fake security pop-up. The Windows attack chain, on the other hand, relies on the VBScript payload to run a CMD file, which then installs the extension.

The end goal remains the same: to steal credentials and data from wallet browser extensions and applications, and exfiltrate the results to the server ("23.137.105[.]75:5173") via an HTTP POST request.

"Unlike the Linux/macOS agent, the Windows pipeline does not maintain a persistent connection; it uploads the ZIP files, performs cleanup, and terminates," Proofpoint said.

Further analysis has uncovered that the threat actor previously distributed a Windows Go binary of Overlord, but has since shifted to the new method, likely in an attempt to avoid detection.

Proofpoint said it's tracking UNK_DeadDrop as distinct from Contagious Interview due to differences in initial access methods (LinkedIn vs. email) and the use of the Overlord framework, which is different from the custom malware families the North Korean hacking group has traditionally deployed, including BeaverTail, InvisibleFerret, and OtterCookie.

"UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving," the company said. "The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations."

The disclosure comes as Yeeth Security said it discovered three malicious VS Code extensions named "ByteBinTools.jupyter-powerdev-2026.6.8.vsix," ToolCraft.jupyter-powertools-3.21.0.vsix," and "OLDev.markdown-mode-devtools-2.1.0.vsix" on the official marketplace that are dressed up as seemingly harmless Jupyter Notebook productivity tools, but are, in fact, a "sophisticated, multi-stage backdoor" engineered to bypass endpoint defenses.

The malware supports the following functions -

  • A SharePoint site functioning as a command queue, victim registry, and exfiltration channel
  • A JavaScript layer that handles all command-and-control (C2) communication via Microsoft Graph API and SharePoint to
  • Components enabling arbitrary file read, write, and exfiltration, as well as code execution using a Windows executable and a Python script for Linux and macOS

The C2 channel, besides running commands or scripts, can issue a third command type called "host_action," which facilitates file system operations like pwd, ls, cd, and cat, along with file upload and downloads.

Although there exists no direct overlap with any publicly documented North Korean campaign, Yeeth Security said the developer tooling split between JavaScript and Python has its echoes in Contagious Interview, and that the malicious artifacts' Microsoft Graph API authentication mechanism shares some similarities with the Lazarus Group's Dream Job attacks detailed by S2 Grupo LAB52 in October 2025.

Cybersecurity

The findings dovetail with the discovery of multiple campaigns linked to the North Korean threat actors in recent months -

  • A follow-up to the Axios supply chain attack using three malicious npm packages (redeem-onchain-sdk@1.0.7, nicegui@0.1.4, and period-newline@0.1.0) that deliver an information stealer that exfiltrates harvested data to a different C2 infrastructure. The packages are listed as dependencies on GitHub projects disguised as cryptocurrency trading bots. "Less than 18 hours after the Axios malicious packages were removed from NPM, the first secondary payload was already live on the registry," OpenSourceMalware said. "This suggests the threat actor had prepared backup infrastructure and was ready to immediately deploy alternative delivery mechanisms."
  • An attack campaign codenamed TaskJacker has been delivered, dropping malicious VS Code task files into unsuspecting GitHub users' existing repositories, spreading in a worm-like fashion. "By weaponizing VS Code's tasks.json auto-execution feature, attackers have created a scenario where simply opening a cloned repository in your IDE can compromise your system," the OpenSourceMalware team said. "No user interaction required beyond a git clone and opening the folder."
  • Contagious Interview's use of Git hooks (".githooks/pre-commit") to fire the execution of malicious code when a target clones a "coding assessment" repository, marking a shift from hiding the malicious code within .vscode/tasks.json or package.json files.
  • Contagious Interview's use of a compromised Packagist package ("roberts/leads") to target PHP developers with a JavaScript malware loader that reaches out to blockchain and public RPC infrastructure in order to fetch, decrypt, and execute a next-stage JavaScript payload. The adversary has also leveraged its access to compromised developer systems to tamper with commits and inject multi-stage obfuscated JavaScript code to the source code files in their repositories. The final payload is a variant of the DEV#POPPER RAT.
  • "Void Dokkaebi's operations do not end with a single infected developer," Trend Micro said. "The compromised machine becomes a launchpad, with the threat actor weaponizing the victim's own repositories and turning their code contributions into infection vectors for downstream developers. The result is a self-sustaining propagation chain resembling a worm's behavior rather than a traditional targeted attack."
  • Contagious Interview's migration of InvisibleFerret from readable Python scripts to Cython-compiled binaries, distributing the malware as .pyd files on Windows and .so files on macOS. "The update gives the intrusion set an additional layer of evasion while preserving InvisibleFerret's core capabilities, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting," Trend Micro said. "BeaverTail has also expanded beyond its original downloader and stealer role into a broader malware with overlapping functions, including credential harvesting and wallet trojanization."
  • A malicious npm package named "terminal-logger-utils" has been found to target Telegram data, SSH keys, crypto wallets, cloud configurations, and environment variables. The package was published by "jpeek895," an account flagged for publishing a similar package called "terminal-logger-pack" in late April 2026. Another npm package named "js-logger-pack" has been found to deliver an ELF binary with infostealer and remote access trojan (RAT) capabilities.
  • BlueNoroff's (aka Sapphire Sleet and UNC1069) targeting of macOS environments within high-value financial sectors to deliver infostealer malware as part of a targeted social engineering against individuals in the cryptocurrency, investment, and Web3 space. Some of these efforts also make use of fake Zoom and Microsoft Teams meeting-themed lures and ClickFix-style prompts and instructions to install supposed "missing" meeting SDKs and deliver malicious payloads. The attacks led to the deployment of updated variants of Cabbage RAT (aka CageyChameleon), PowerShell implants capable of credential and data theft, or a newly identified data-stealing macOS toolkit known as Mach-O Man.
  • "By persuading users to manually execute AppleScript or Terminal-based commands, Sapphire Sleet shifts execution into a user-initiated context, allowing the activity to proceed outside of macOS protections such as Transparency, Consent, and Control (TCC), Gatekeeper, quarantine enforcement, and notarization checks," Microsoft said.
  • Contagious Trader's use of over 50 malicious packages embedded across more than 100 GitHub repositories targeting developers in the cryptocurrency space to deliver three malware families: PromptMink, OtterCookie, and a new Windows clipboard stealer called ClipViper. "The malicious repositories are promoted through verified accounts on X and Reddit, use spoofed developer identities and bot-inflated star counts to appear legitimate, and are distributed across 40+ GitHub users and organizations as redundant delivery fronts," Panther said.
  • A cluster of obfuscated malicious npm packages published by multiple throwaway accounts has been found to deliver variants of the OtterCookie infostealer by means of a postinstall hook. Another malicious npm package named "node-env-resolve" has been identified as making use of six runtime dependencies that match the OtterCookie toolkit.
  • Contagious Interview's use of generative artificial intelligence to assist with the development of loaders responsible for launching BeaverTail and OtterCookie, and to set up front companies used for listing job openings and social engineering outreach via fake LinkedIn accounts. According to data shared by Expel, these campaigns are likely carried out by multiple teams, each comprising several members. The attacks have resulted in the theft of $12 million in cryptocurrency in the first three months of 2026. "The threat actor's campaigns exfiltrated a total of 26,584 cryptocurrency wallets from 2,726 infected developers' systems," Expel's Marcus Hutchins said.
  • A supply chain attack campaign codenamed jsonspack has used 27 malicious npm packages to deliver a JavaScript RAT and infostealer, or drop a loader that fetches an unspecified payload. Another malicious npm package named "sleek-pretty" has been found to target developers running Polymarket trading bots to carry out system fingerprinting, SSH backdoor installation, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials.
  • A sustained npm malware campaign spanning 108 malicious packages and 261 package versions targeted developers between March 20 and April 20, 2026, with an aim to steal credentials, Telegram Desktop sessions, and wallet keys, and establish persistent access using malware families like BeaverTail and OtterCookie.

"Whilst financially motivated cybercrime is highly unappealing to almost every nation-state, since the monetary loss from the resulting sanctions would far outweigh any financial gain, this is not the case for North Korea," Expel said. "The heavy sanctions already levied against the country mean there is little more that can be done to deter them, but a lot to be gained for a nation whose economic activity is severely constrained."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.