惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
宝玉的分享
宝玉的分享
腾讯CDC
博客园_首页
T
Tailwind CSS Blog
月光博客
月光博客
博客园 - 司徒正美
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
M
MIT News - Artificial intelligence
A
About on SuperTechFans
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
V
Visual Studio Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
SecWiki News
SecWiki News
美团技术团队
P
Privacy International News Feed
H
Help Net Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
D
DataBreaches.Net
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
S
Schneier on Security
G
GRAHAM CLULEY
博客园 - 三生石上(FineUI控件)
Cisco Talos Blog
Cisco Talos Blog
小众软件
小众软件
Forbes - Security
Forbes - Security
D
Docker
T
Tenable Blog
S
Secure Thoughts
雷峰网
雷峰网
S
Security @ Cisco Blogs
T
The Exploit Database - CXSecurity.com
The Cloudflare Blog
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
阮一峰的网络日志
阮一峰的网络日志

The Register - Security

Are we human? MyPillow must decide whether to be firm or soft as ransomware crims demand pay Experts pour cold borscht on Farage's Russian hack claim AI eyes scanning for bugs create a worrisome Linux security trend A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Techie claims Trump Mobile website was leaking thousands of people's data Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Microsoft open-sources agentic AI safety tools Are we human? America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Shai-Hulud copycat worm infects yet another npm package MPs want social media treated more like unsafe toys than harmless apps Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data To gain root access, intruder just had to ask AWS patched Quick auth bypass, says customers weren't using control Disgruntled researcher releases two more Microsoft zero-days Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files US bank reports itself after slinging customer data at 'unauthorized AI app' Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator Best Western Hotels confirms web app data breach Arctic Wolf cuts 250 jobs in AI push 1 in 8 workers say selling company logins is justifiable Iran cyberspies LARPing as ransomware crims in espionage ops UK age-gating plans risk breaking the internet, privacy groups warn India orders infosec red alert in case Mythos sparks crime 'CopyFail' attackers start cashing in on Linux flaw ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Singapore boffins get diverse SIEMs singing in harmony Shadow IT has given way to shadow AI. Enter AI-BOMs AI-BOMs replace SBOMs as way to track AI agents and bots Home Office adds £216M to travel doc contract before bids FBI: China's hacker-for-hire ecosystem 'out of control' UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Critical cPanel, WHM flaw probs exploited as 0-day, pros say ORNL builds more sensitive GPS interference detector Microsoft patch fell short. New Windows flaw exploited Fooling large language models just keeps getting simpler Wiz hands GitHub AI-aided bug report that isn Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Cybersecurity professional getting more work and less pay Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning Intel expects AI inference to drive demand for its CPUs Open source models can find bugs as well as Mythos Researchers find sabotage malware that may predate Stuxnet Attackers could disable all of a city's public EV chargers Age checks could turn internet into an ID checkpoint, complains Proton CEO If malware via monitor cables is a matter of national security, this might be the gadget for you France's 'Secure' ID agency probes breach as crooks claim 19M records Scotland Yard can keep using live facial recognition on Londoners, say judges Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Scot becomes second Scattered Spider-linked crook to plead guilty in US Just like phishing for gullible humans, prompt injecting AIs is here to stay Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Server-room lock was nothing but a crock Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Autovista blames ransomware for service disruption French cops free mother and son after crypto kidnapping UK told its Big Tech habit is now a national security risk Commvault has a Ctrl+Z for rogue AI agents No honor among thieves as 0APT threatens rival ransomware gang Krybit Fake Linux leader using Slack to con devs into giving up their secrets Booking.com warns of possible reservation data exposure NHS pays £46K to prep next Microsoft licensing round China wants AI to prepare school lessons and mark homework Anthropic's Mythos has The Kettle crew curious, skeptical Two different attackers poisoned popular open source tools Hungary officials used weak passwords exposed in breach dump CPUID hijacked to serve malware as HWMonitor downloads Unpacking AI security 2026 from experimentation agentic era Microsoft locks out top open source devs, blames process NHS Scotland-linked domains push pr0n and illegal streams Iran cyber actors disrupting US water, energy facilities, FBI warns Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns AI agents found vulns in this Linux and Unix print server Don't glamorize cybercrims, roast them instead Trump wants to take a battle axe to CISA again and slash $707M from budget
Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto
Jessica Lyons Jessica Lyons · 2026-06-09 · via The Register - Security

There's another likely North Korean-linked scam hitting developers and their employers, while snarfing up credentials and cryptocurrency - and this one doesn't even involve embedding IT workers at high-profile tech giants.

A previously unseen phishing crew, suspected to have DPRK ties, sent more than 250 emails to people working in almost 100 organizations, mostly based in the US, over six weeks in April and May. According to security sleuths, it is yet another digital-heist attempt designed to steal cryptocurrency wallets and developers’ credentials.

Proofpoint threat researchers spotted this campaign and tracked the digital thievery as UNK_DeadDrop. 

Like earlier phishing expeditions from the Norks, including the Contagious Interview campaign, this one uses developer recruitment or code review lures to target victims, primarily in technology, education, business services, and financial services, and ultimately steal credentials and cryptocurrency. 

In another common tactic seen with DPRK-linked credential-stealing activities, the lures attempt to send victims to attacker-controlled GitHub repositories hosting malicious scripts that execute cross-platform malware across macOS, Linux, and Windows machines.

“However, there are several differences between the activity sets, such as the shift in social engineering from arranging fake interviews to unsolicited job offer or code review approaches as well as the move from delivery platforms such as LinkedIn to email,” researchers Saher Naumaan and Carlos Rubio said in a Monday blog, citing other differences between UNK_DeadDrop and Contagious Interview. 

“Based on the use of email for initial access, the high volume of emails, industrialization and scale of repository creation, a new self-contained payload, and distinct infrastructure from previous Proofpoint observations of Contagious Interview campaigns, Proofpoint Threat Research continues to track UNK_DeadDrop activity as an independent cluster,” the researchers wrote.

Full-stack engineer wanted

The attacks begin with an email that looks like it originated from a real company, with job offers for developer roles including “Full-Stack Engineer” or “Agent Lead Developer” positions. Proofpoint caught the crooks spoofing a handful of companies to send these emails from attacker-owned sender domains including:

  • Ondo Finance: a decentralized finance (DeFi) platform

  • Empower Pharmacy: a pharmaceutical company

  • NXLog: a log collection and centralization tool

  • OnePlan: a strategic portfolio and work management platform

  • Hypen Connect: a Web3 and AI Talent Agency

  • Valon: a mortgage service provider

  • Nourish: a telehealth company

The emails contain links to GitHub repos disguised as coding assignments or cryptocurrency-related projects - part of the phony job application process. All of the emails instructed the target to clone the repository and open it in a code editor like VS Code or Cursor. 

Proofpoint’s report lists all 10 repositories, all focused on four themes - cryptocurrency platforms, exploit archives, Foundry testing, and AI payments - and all hosted by different GitHub accounts, so be sure to check out the vendor’s list.

In May, the attackers switched tactics and began sending victims requests for peer reviews on open-source projects, with a potential job offer based on the fixes. These emails purported to come from cryptocurrency trading or prediction companies, including Pulsynk and Trixauvex.

Another UNK_DeadDrop campaign in late May targeted finance and technology companies, requesting recipients to test an ERC-4626 vault in Foundry, a toolkit for Ethereum and smart contract development.

In all of these instances, when the victim opens what they believe to be a legit repository folder in an integrated development environment, a pre-configured task silently executes and triggers a platform-specific loader that decodes embedded payloads on whatever system the developer uses, working across Linux, macOS, and Windows machines.

The loader installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service.  Every time the user opens the code editor on macOS or Linux, the VSIX extension activates, and relaunches the infection-chain if it’s not already running. The persistence mechanism doesn’t work on Windows machines, however.

After installing VSIX, the infection chain looks different, depending on what platform the target uses. The Linux and macOS attacks use a native Go binary that connects to the command-and-control (C2) infrastructure as a persistent remote access trojan (RAT). The Windows chain, however, runs a Node.js pipeline inside the editor's Electron process. 

Both use the same C2 infrastructure and exfiltration endpoints.

Linux, macOS backdoors

The Linux and macOS binaries are based on the open-source Overlord C2  framework - this is a legitimate red-team tool that automates covert infrastructure setup and management, and orchestrates post-exploitation activities. This, of course, also makes it a very handy tool for attackers.

For this campaign, the North Koreans added three custom modules: browserlogin (Chrome and Firefox credential theft), companywallet (crypto-wallet stealer and exfiltration), and cleanup (anti-forensic removal of workspace artifacts).

On macOS, Overlord first collects wallet extension data, browser profile artifacts, and standalone wallet directories, compressing them into a ZIP and uploading them to the C2 server.  Five minutes later, the malware moves on to credential theft, using a second embedded Mach-O binary that displays a fake system dialogue and prompts the user to enter their password. 

The Overlord process validates the credentials, and assuming they are legit, the malware modifies keychain access-control lists across Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and other Chromium-based web browsers, before extracting Safe Storage keys and sending all of the stolen goods - collected credentials, Safe Storage keys, and keychain data - to the attacker-controlled server.

The backdoor also re-launches itself as root, using the stolen password.

The Linux malware follows a similar pattern, first scooping up wallet-related data and sending that via ZIP to the C2 server before moving on to credential theft. It, however, uses Zenity, a standard GTK dialog tool, to create a prompt and collect victim credentials.

This backdoor attempts to steal passwords from GNOME Keyring by spawning Python 3 processes for each browser, and ultimately re-launches itself as root using a swiped password.

Windows attacks

Windows attacks run entirely as JavaScript inside the editor's Electron process, which appears as Code.exe in Task Manager. The malware first steals wallet info, targeting 35 wallet extension IDs (MetaMask, Phantom, Rabby, Keplr, and others), 18 standalone wallet applications (Exodus, Electrum, Ledger Live, Monero, Solana CLI, Bitcoin, and others), and Firefox profiles. 

Next, it installs Python and executes a stealer (detect_malware.py) for each browser profile that collects a ton of credentials across Chromium and Firefox browsers, steals cookies from Chrome/Edge/Brave and uses COM Elevation Moniker to access credentials across these browsers protected by App-Bound Encryption. It also attempts to read locked databases using five cascade methods, and ultimately uploads all the secrets to the same endpoint before terminating.

“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Naumaan and Rubio wrote. “The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.” ®