Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview cluster is running the UNK_DeadDrop phishing campaign to lure developers with recruitment and code review themes, reaching nearly 100 organizations. The operation routes targets to actor-controlled GitHub repositories and VS Code projects that can trigger malicious code with little interaction. The campaign spans finance, cryptocurrency, education, technology, and other sectors, raising the risk of malware execution and credential theft.
Related Happenings
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
How related:
"UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving," the company said. "The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations."
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaHow related: "UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving," the company said. "The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations."
About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Timeline
-
15.06.2026 22:32 2 articles · 3h ago
Researchers identify UNK_DeadDrop phishing campaign targeting developers
Initial DisclosureResearchers tracked UNK_DeadDrop, a campaign linked to Contagious Interview, that targeted nearly 100 organizations in finance, cryptocurrency, education, technology, and other sectors with developer recruitment and code review lures. Recipients were directed to actor-controlled GitHub repositories and VS Code projects that used the runOn: folderOpen technique to execute malicious code, deploy cross-platform loaders for macOS, Linux, and Windows, and support credential and wallet theft through Overlord-related tooling.
Show sources
- North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels — thehackernews.com — 15.06.2026 22:32
- North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels — thehackernews.com — 15.06.2026 22:32