UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
Summary
Hide ▲
Show ▼
A UNK_DeadDrop phishing campaign sent more than 250 emails to software developers at almost 100 organizations, using fake job and code-review lures to steal cryptocurrency and credentials. The operation targeted mostly US-based workers in technology, education, and finance, with a focus on cryptocurrency firms. It relied on GitHub/GitLab repositories, a hidden tasks.json file, and editor execution in VS Code or Cursor to deploy payloads across macOS, Linux, and Windows.
Related Happenings
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Prt-scan GitHub pull_request_target supply-chain campaign
Campaign
First: 07.04.2026 00:38
Last: 07.04.2026 00:38
Sources 1
About this happening:
The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
Prt-scan GitHub pull_request_target supply-chain campaign
CampaignAbout this happening: The **prt-scan** campaign used **AI-assisted automation** to scale a broad **GitHub supply-chain** operation, increasing risk for repositories configured with `pull_request_target...
Timeline
-
08.06.2026 18:00 2 articles · 2h ago
Proofpoint tracks UNK_DeadDrop developer phishing campaign
Initial DisclosureProofpoint reported UNK_DeadDrop as a likely North Korean campaign that sent more than 250 phishing emails in April and May 2026 to software developers at almost 100 organizations, using fake job and code-review lures, GitHub/GitLab repositories, and malicious tasks.json execution in VS Code or Cursor to steal cryptocurrency and credentials.
Show sources
- North Korean Hackers Use Fake Coding Tasks to Steal Crypto — www.infosecurity-magazine.com — 08.06.2026 18:00
- North Korean Hackers Use Fake Coding Tasks to Steal Crypto — www.infosecurity-magazine.com — 08.06.2026 18:00