Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
UNK_DeadDrop is a likely North Korean threat actor conducting broad phishing campaigns targeting software developers with fake job offers and code review requests. The campaign delivers malicious GitHub/GitLab repositories that abuse VS Code and Cursor IDE task automation to silently execute cross-platform malware. Linux and macOS systems receive the Overlord Go RAT with custom credential and wallet theft modules, while Windows runs a fileless Node.js/Python pipeline inside the editor's Electron process. The malware exfiltrates cryptocurrency wallets, browser credentials, and OS keychain data to a hardcoded C&C server at 23.137.105.75:5173.
- domainalphanonega[.]orgRelated infrastructure domain from April 2026
- domainasteara[.]orgRelated infrastructure domain from April 2026
- domaincareerpredictto[.]spaceRelated infrastructure domain
- domaincareerpulsynk[.]xyzRelated infrastructure domain
- domaincareertrixauvex[.]inkRelated infrastructure domain
- domainceronet[.]workRelated infrastructure domain
- domainceronetwork[.]orgRelated infrastructure domain
- domainconnectptogether[.]inkRelated infrastructure domain
- domaincontactpredicttogether[.]inkRelated infrastructure domain
- domaincontactpulsynk[.]inkRelated infrastructure domain
- domaincontacttrixauvex[.]inkSender domain used in May 2026 phishing campaigns
- domaincoslyintra[.]onlineRelated infrastructure domain from April 2026
- domaincotrixauvex[.]inkRelated infrastructure domain
- domainculyrax[.]usRelated infrastructure domain
- domaindeep-ai-guard[.]storeRelated infrastructure domain
- domaindomatisc[.]inkRelated infrastructure domain from April 2026
- domaindoxxela[.]inkRelated infrastructure domain from April 2026
- domainelsavora[.]usRelated infrastructure domain
- domainempowerpharmacy[.]spaceAttacker-controlled sender domain spoofing Empower Pharmacy; used in April 2026 phishing emails
- domainhyperdevpipline[.]orgSender domain used in phishing campaigns
- domainmailpredicttogether[.]inkSender domain used in May 2026 phishing campaigns
- domainmailpulsynk[.]xyzSender domain used in May 2026 phishing campaigns
- domainmailtrixauvex[.]inkSender domain used in May 2026 phishing campaigns
- domainmigadyn[.]infoSender domain used in April 2026 phishing campaigns
- domainnemesistrade[.]workRelated infrastructure domain
- domainnemesis[.]workRelated infrastructure hosting fake NEMESIS DeFi protocol website on attacker-controlled Advin Services LLC IPs
- domainnotifypulsynk[.]inkRelated infrastructure domain
- domainnowurisch[.]fitSender domain used in phishing campaigns
- domainnxlog[.]techAttacker-controlled sender domain spoofing NXLog; used in April 2026 phishing emails
- domainondofinance[.]techAttacker-controlled sender domain spoofing Ondo Finance (DeFi platform); used in April 2026 phishing emails
- domainonoplainai[.]inkRelated infrastructure domain from April 2026
- domainonoplanoai[.]inkAttacker-controlled sender domain spoofing OnePlan; used in May 2026 phishing emails
- domainoptixauvex[.]usRelated infrastructure domain
- domainpredictcareertogether[.]spaceRelated infrastructure domain
- domainpredicttocareer[.]spaceAttacker-controlled sender domain used in May 2026 phishing campaigns
- domainpredicttogerecruit[.]storeRelated infrastructure domain
- domainpredicttogether[.]inkRelated infrastructure domain
- domainpredicttogetherrecruit[.]storeRelated infrastructure domain
- domainpulsynk[.]orgAttacker-controlled sender domain spoofing an AI-powered cryptocurrency prediction platform; used in phishing emails
- domainraxvatange[.]inkRelated infrastructure domain from April 2026
- domainrecruitptogether[.]xyzRelated infrastructure domain
- domainrecruitvex[.]usSender domain used in May 2026 phishing campaigns
- domaintalentnexhr[.]inkRelated infrastructure domain
- domainteampulsynk[.]teamRelated infrastructure domain
- domaintogetherhire[.]funRelated infrastructure domain
- domaintrixauvexnet[.]inkSender domain used in May 2026 phishing campaigns; hosted fake company website
- domaintrixauvex[.]orgAttacker-controlled sender domain spoofing a cryptocurrency trading company; also hosted a fake company website
- domainvalorecuiting[.]onlineSender domain used in April 2026 phishing campaigns
- ip170[.]205[.]29[.]83Attacker-controlled sender IP on Advin Services LLC infrastructure used for early UNK_DeadDrop phishing campaigns
- ip170[.]205[.]30[.]227Attacker-controlled sender IP on Advin Services LLC infrastructure used for early UNK_DeadDrop phishing campaigns
- ip23[.]137[.]105[.]75Hardcoded C&C server for Overlord RAT (Linux/macOS) and Windows Node.js pipeline; WebSocket Secure on port 5173 and HTTP POST for data exfiltration
- sha2562812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628fdetect_malware.py.enc — encrypted Python credential stealer with DPAPI and App-Bound Encryption bypass
- sha256339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943google-update-support-darwin-arm64 — macOS Apple Silicon Overlord Go binary
- sha25635813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252eMalicious settings.json file in repository .vscode folder
- sha2564c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78run-update-hidden-launch.vbs — Windows VBS launcher script
- sha25652886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7google-update-support.vsix — malicious VS Code extension masquerading as Google service
- sha25662761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fbrun-update.cmd — Windows CMD launcher script
- sha2566cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0windows-js-pipeline.js.enc — encrypted Windows Node.js agent pipeline
- sha256734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352frun-update.sh — Linux/macOS bash launcher with embedded Base64 payload
- sha256808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619darwin-password-prompt — fake macOS credential harvesting dialog binary
- sha25691b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aawindows-agent-node.js.enc — encrypted Windows wallet stealer and Python setup payload
- sha256a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86google-update-support-linux-amd64 — Linux Overlord Go binary
- sha256bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81google-update-support-darwin-amd64 — macOS Intel Overlord Go binary
- sha256c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4bMalicious tasks.json file with runOn: folderOpen trigger
- sha256d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10gus-node-bootstrap.js — Node.js bootstrap for Windows Electron-based execution
- sha256d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7eextension.js — VSIX extension activation code
- sha256e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667google-update-support-agent.zip — packaged Overlord agent
- urlhxxps://github[.]com/locnlod/oneplan-fullstack-assignmentAttacker-controlled GitHub repository seen in phishing email targeting OnePlan spoof
- urlhxxps://github[.]com/mireles343/forge-4626-invariantsAttacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaults
- urlhxxps://github[.]com/PedrinPY/rekt-dbAttacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archive
- urlhxxps://github[.]com/Pulsynk/pulsynkAttacker-controlled GitHub repository masquerading as AI-powered cryptocurrency prediction platform
- urlhxxps://github[.]com/rkama411/x402-kitAttacker-controlled GitHub repository masquerading as HTTP 402 micropayments for AI agents
- urlhxxps://github[.]com/skyjum/x402-kitAttacker-controlled GitHub repository masquerading as HTTP 402 micropayments for AI agents
- urlhxxps://github[.]com/sr-werney/forge-4626-invariantsAttacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaults
- urlhxxps://github[.]com/Stomp47/rekt-dbAttacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archive
- urlhxxps://github[.]com/Trixauvex-org/trixauvexAttacker-controlled GitHub repository masquerading as cryptocurrency trading engine
- urlhxxps://github[.]com/wayout4u/rekt-dbAttacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archive
- urlhxxps://github[.]com/ziobiri/forge-4626-invariantsAttacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaults
- urlhxxps://gitlab[.]com/predict-together/forge-4626-invariants[.]gitAttacker-controlled GitLab repository
- urlhxxps://gitlab[.]com/pulsynk-org/rekt-db[.]gitAttacker-controlled GitLab repository
- urlhxxps://gitlab[.]com/trixauvex-org/x402-kit[.]gitAttacker-controlled GitLab repository
Detection / Hunteropenrouter
What Happened
A hacking group believed to be from North Korea has been sending fake job offer emails to software developers at nearly 100 companies, mostly in the cryptocurrency and technology industries. The emails trick developers into downloading what look like legitimate coding projects from GitHub or GitLab. When the developer opens the project in their code editor (VS Code or Cursor), hidden scripts automatically run and install malware that steals cryptocurrency wallets, saved passwords, and other sensitive data from their computer. The attack works on Mac, Linux, and Windows. What makes this especially dangerous is that the Cursor editor runs these hidden scripts without asking for any permission, meaning the victim may have no idea anything happened. Organizations with developers who work with cryptocurrency or blockchain projects should warn their staff about unexpected job offers or code review requests, and should be cautious when opening unfamiliar repositories in code editors.
Key Takeaways
- UNK_DeadDrop is a likely North Korea-aligned threat actor conducting large-scale phishing campaigns targeting developers across ~100 organizations in cryptocurrency, finance, technology, and education sectors.
- The campaign abuses VS Code and Cursor IDE task automation (tasks.json with runOn: folderOpen) to silently execute malicious scripts when a cloned repository is opened, with Cursor requiring zero user interaction.
- Linux/macOS infections deploy the open-source Overlord Go C&C framework as a persistent RAT with custom modules for wallet theft, credential theft, and anti-forensics; Windows uses a fileless Node.js/Python pipeline inside the editor's Electron process.
- The malware steals cryptocurrency wallet extensions, standalone wallet applications, browser credentials, macOS Keychain data, and GNOME Keyring secrets across 35 wallet extension IDs and 18 standalone wallet apps.
- A malicious VSIX extension provides persistence on macOS/Linux by reactivating payloads on each editor launch; Windows lacks persistence and executes a single stealer operation.
Affected Systems
- macOS (Intel and Apple Silicon)
- Linux (AMD64 desktop distributions with GTK/Zenity)
- Windows (all versions with VS Code or Cursor IDE)
- VS Code, Cursor, and VSCodium editors
- Chromium-based browsers (Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, Chromium)
- Firefox browser
- Cryptocurrency wallet extensions (MetaMask, Phantom, Rabby, Keplr, and others)
- Standalone wallet applications (Exodus, Electrum, Ledger Live, Monero, Solana CLI, Bitcoin, and others)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing emails with attacker-controlled sender domains deliver links to malicious GitHub/GitLab repositories masquerading as coding assignments, crypto projects, or code review requests
- Execution: Victim clones repository and opens it in VS Code or Cursor; hidden .vscode/tasks.json with runOn: folderOpen silently executes platform-specific launcher scripts (Cursor requires zero user interaction)
- Installation: Launcher scripts install a malicious VSIX extension masquerading as a Google service into all available editors; on Linux/macOS this provides persistence by reactivating payloads on each editor launch
- C2: Linux/macOS deploy Overlord Go binary establishing persistent WebSocket Secure connection to 23.137.105.75:5173; Windows runs fileless Node.js/Python pipeline inside editor's Electron process and exfiltrates via HTTP POST to same C&C
- Collection: Malware collects cryptocurrency wallet extension data, standalone wallet directories, browser credentials, macOS Keychain data, and GNOME Keyring secrets; uses fake system dialogs to harvest user passwords for privilege escalation
- Exfiltration and Cleanup: Stolen data packaged as ZIP files and uploaded to C&C; malware deletes payload files and malicious directories from the cloned repository to remove forensic artifacts while maintaining VSIX persistence
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not include any detection rules, queries, or signatures. It provides IOCs (IPs, domains, email addresses, file hashes, URLs) and detailed TTP descriptions that could be used to develop custom detections.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | On Windows, the fileless Node.js execution inside the Electron process (Code.exe) may blend in with legitimate editor activity, reducing EDR visibility. On macOS/Linux, the Go binary execution and xattr quarantine removal are potentially visible. The use of certutil for decoding and Python downloads to browser directories are detectable behaviors if EDR monitors process lineage and file writes. |
| Network Visibility | High | The C&C communication uses WebSocket Secure to 23.137.105.75:5173 and HTTP POST for exfiltration. Network monitoring can detect connections to this IP and large outbound data transfers. The attacker-controlled sender IPs and domains are also observable in email gateway logs. |
| Detection Difficulty | Hard | The Windows pipeline runs entirely inside the editor's legitimate Electron process with no binary dropped to disk, making it appear as normal Code.exe activity. The use of standard developer tools (git, VS Code, Cursor) and legitimate-looking repositories reduces suspicion. The macOS/Linux Go binaries masquerade as Google update support files. The anti-forensic cleanup removes artifacts from disk. Detecting this requires behavioral analysis of process ancestry, network connections, and file system activity rather than simple signature matching. |
Required Log Sources
- Email gateway logs (sender domains, IPs, message content)
- Endpoint process execution logs with command line and parent process
- File creation and modification events in .vscode/ and vendor/ directories
- Network connection logs (especially outbound WebSocket and HTTP POST to 23.137.105.75)
- VS Code / Cursor extension installation events
- macOS Gatekeeper/quarantine removal events (xattr)
- Windows certificate utility (certutil.exe) execution logs
- Registry modification events for Windows user profile enumeration
- DNS resolution logs for attacker-controlled domains
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for VS Code or Cursor processes spawning child processes that initiate outbound network connections to non-standard ports, which could indicate the Windows fileless Node.js pipeline executing inside the Electron process. | EDR process telemetry with network connection correlation; Sysmon Event ID 3 (network connection) filtered by parent process of Code.exe or Cursor.exe | Command and Control | Medium — legitimate VS Code extensions and development workflows may initiate outbound connections; focus on non-standard ports and known-bad IPs |
| Consider hunting for tasks.json files containing runOn: folderOpen configuration in recently cloned repositories, which could indicate abuse of VS Code task automation for execution. | File system monitoring for .vscode/tasks.json creation; EDR file write events in developer workspace directories | Execution | Medium — legitimate projects may use folderOpen tasks; correlate with subsequent suspicious child process execution |
| Consider hunting for certutil.exe being used with -decode or -f flags outside of certificate management contexts, which could indicate payload decoding as seen in the Windows infection chain. | EDR process execution logs with command line arguments; Sysmon Event ID 1 (process creation) filtered for certutil.exe | Defense Evasion | Low — certutil with decode flags in development environments is unusual |
| Consider hunting for xattr commands removing com.apple.quarantine attributes from binaries in developer workspace directories on macOS, which could indicate bypassing Gatekeeper for malicious Go binaries. | macOS endpoint security framework events for xattr execution; process monitoring for xattr with -d flag | Defense Evasion | Low to Medium — some legitimate development workflows remove quarantine attributes, but combined with recently downloaded binaries it is suspicious |
| Consider hunting for VS Code extension installation events involving VSIX files named with Google update support patterns or installed from local file paths rather than the official marketplace. | VS Code extension installation logs; file system monitoring for .vsix file creation; EDR process logs for code --install-extension commands | Persistence | Low — local VSIX installation is uncommon in enterprise environments and the naming pattern is suspicious |
Control Gaps
- Standard AV signatures would not detect the fileless Windows Node.js pipeline running inside the Electron process
- Email gateway reputation may not flag newly registered domains using legitimate email services (Mailgun, MailHostBox)
- Application allowlisting may not block VS Code or Cursor since they are legitimate developer tools
- Network-based detection may miss WebSocket Secure traffic if it blends with legitimate HTTPS
- macOS Gatekeeper is bypassed via xattr quarantine removal, and the binary is not notarized but runs after attribute removal
- Browser credential protection mechanisms (App-Bound Encryption, DPAPI) are bypassed using COM Elevation Service and Python injection into browser directories
Key Behavioral Indicators
- Code.exe or Cursor.exe process spawning child processes that initiate outbound network connections (Windows fileless execution)
- tasks.json file with runOn: folderOpen in .vscode directory of recently cloned repositories
- certutil.exe invoked with -decode or -f flags in non-certificate-management contexts
- xattr -d com.apple.quarantine executed on files matching google-update-support-darwin-* pattern
- VSIX extension installation from local file paths with names containing google-update-support
- Python executable installed inside browser application directories (e.g., Program Files\Google\Chrome\Application\python.exe)
- WebSocket connections to non-standard ports (e.g., port 5173) from developer workstations
- darwin-password-prompt binary creating fake system dialogs on macOS
- Zenity dialog prompts on Linux requesting passwords with security-themed messages
- Large ZIP file uploads from developer workstations to external IPs over HTTP POST
False Positive Assessment
Medium — The campaign abuses legitimate developer tools (VS Code, Cursor, git, GitHub) and standard workflows, which are common in technology and cryptocurrency organizations. The malicious repositories appear professional with realistic structures. However, the specific IOCs (C&C IP, sender domains, file hashes) have low false positive rates. Behavioral detections around tasks.json auto-execution and local VSIX installation may generate some false positives in environments with legitimate local extension development.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking network traffic to 23.137.105.75 and sender IPs 170.205.29.83 and 170.205.30.227 at perimeter firewalls and email gateways.
- Consider adding the identified attacker-controlled sender domains to email gateway blocklists or quarantine rules, especially trixauvex.org, pulsynk.org, ondofinance.tech, nxlog.tech, empowerpharmacy.space, predicttocareer.space, and onoplanoai.ink.
- If your EDR supports it, consider hunting for the listed SHA256 hashes across your endpoint fleet and isolating any hosts with matches.
- Consider alerting developers in your organization about this campaign, especially those in cryptocurrency, DeFi, or blockchain roles, and advise them not to clone or open repositories from unsolicited job offers or code review requests.
- If applicable, consider blocking or monitoring VSIX extension installations from local file paths in your developer endpoints.
Infrastructure Hardening
- Consider implementing DNS filtering or sinkholing for the identified attacker-controlled domains.
- Evaluate whether your email gateway can detect and block newly registered domains using Mailgun or MailHostBox sender services that impersonate known companies.
- If your network architecture supports it, consider restricting outbound WebSocket connections from developer workstations to approved destinations only.
- Consider implementing network segmentation to isolate developer workstations from critical infrastructure and cryptocurrency wallet management systems.
- Evaluate whether your proxy or next-generation firewall can inspect and flag large outbound ZIP file uploads from developer endpoints.
User Protection
- Consider deploying EDR policies that alert on certutil.exe usage with decode flags and xattr quarantine removal on macOS endpoints.
- If your EDR supports application control, consider restricting VSIX extension installations to those from the official VS Code Marketplace only.
- Consider disabling or requiring approval for VS Code's folderOpen task automation feature in enterprise-managed editor configurations.
- Evaluate whether Cursor IDE's lack of a trust dialog poses an unacceptable risk; consider restricting its use or deploying configuration policies if available.
- Consider deploying browser extensions or EDR controls that detect unauthorized access to browser credential stores and wallet extension data.
Security Awareness
- Consider incorporating warnings about fake recruiter and code review phishing into existing developer security awareness training programs.
- Advise developers to verify the legitimacy of job offers through official company channels before engaging with any coding assignments or repository links.
- Consider educating developers on the risks of opening untrusted repositories in VS Code or Cursor, specifically the tasks.json auto-execution feature.
- If your organization has a developer onboarding or hiring process, consider briefing hiring managers and recruiters so they can flag suspicious approaches to their teams.
- Consider advising developers to use separate, isolated environments (e.g., containers or VMs) when reviewing code from untrusted sources.
MITRE ATT&CK Mapping
Initial Access
Execution
Defense Evasion
Collection
Command and Control
Additional IOCs
- Domains:
recruitvex[.]us- Sender domain used in May 2026 phishing campaignstrixauvexnet[.]ink- Sender domain used in May 2026 phishing campaigns; hosted fake company websitemailtrixauvex[.]ink- Sender domain used in May 2026 phishing campaignsmailpulsynk[.]xyz- Sender domain used in May 2026 phishing campaignsmailpredicttogether[.]ink- Sender domain used in May 2026 phishing campaignscontacttrixauvex[.]ink- Sender domain used in May 2026 phishing campaignsvalorecuiting[.]online- Sender domain used in April 2026 phishing campaignsmigadyn[.]info- Sender domain used in April 2026 phishing campaignsnowurisch[.]fit- Sender domain used in phishing campaignshyperdevpipline[.]org- Sender domain used in phishing campaignsnemesis[.]work- Related infrastructure hosting fake NEMESIS DeFi protocol website on attacker-controlled Advin Services LLC IPsnemesistrade[.]work- Related infrastructure domainceronet[.]work- Related infrastructure domainceronetwork[.]org- Related infrastructure domaindeep-ai-guard[.]store- Related infrastructure domainculyrax[.]us- Related infrastructure domainelsavora[.]us- Related infrastructure domainoptixauvex[.]us- Related infrastructure domaintalentnexhr[.]ink- Related infrastructure domainrecruitptogether[.]xyz- Related infrastructure domaincontactpredicttogether[.]ink- Related infrastructure domainconnectptogether[.]ink- Related infrastructure domainnotifypulsynk[.]ink- Related infrastructure domaincontactpulsynk[.]ink- Related infrastructure domaincareertrixauvex[.]ink- Related infrastructure domaincotrixauvex[.]ink- Related infrastructure domainteampulsynk[.]team- Related infrastructure domaincareerpulsynk[.]xyz- Related infrastructure domainpredicttogetherrecruit[.]store- Related infrastructure domainpredicttogerecruit[.]store- Related infrastructure domainpredicttogether[.]ink- Related infrastructure domaincareerpredictto[.]space- Related infrastructure domaintogetherhire[.]fun- Related infrastructure domainpredictcareertogether[.]space- Related infrastructure domainasteara[.]org- Related infrastructure domain from April 2026doxxela[.]ink- Related infrastructure domain from April 2026coslyintra[.]online- Related infrastructure domain from April 2026onoplainai[.]ink- Related infrastructure domain from April 2026raxvatange[.]ink- Related infrastructure domain from April 2026alphanonega[.]org- Related infrastructure domain from April 2026domatisc[.]ink- Related infrastructure domain from April 2026
- Urls:
hxxps://github[.]com/Pulsynk/pulsynk- Attacker-controlled GitHub repository masquerading as AI-powered cryptocurrency prediction platformhxxps://github[.]com/Trixauvex-org/trixauvex- Attacker-controlled GitHub repository masquerading as cryptocurrency trading enginehxxps://github[.]com/PedrinPY/rekt-db- Attacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archivehxxps://github[.]com/wayout4u/rekt-db- Attacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archivehxxps://github[.]com/Stomp47/rekt-db- Attacker-controlled GitHub repository masquerading as cross-chain blockchain exploit archivehxxps://github[.]com/sr-werney/forge-4626-invariants- Attacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaultshxxps://github[.]com/ziobiri/forge-4626-invariants- Attacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaultshxxps://github[.]com/mireles343/forge-4626-invariants- Attacker-controlled GitHub repository masquerading as Foundry invariant tests for ERC-4626 vaultshxxps://github[.]com/skyjum/x402-kit- Attacker-controlled GitHub repository masquerading as HTTP 402 micropayments for AI agentshxxps://github[.]com/rkama411/x402-kit- Attacker-controlled GitHub repository masquerading as HTTP 402 micropayments for AI agentshxxps://gitlab[.]com/pulsynk-org/rekt-db.git- Attacker-controlled GitLab repositoryhxxps://gitlab[.]com/trixauvex-org/x402-kit.git- Attacker-controlled GitLab repositoryhxxps://gitlab[.]com/predict-together/forge-4626-invariants.git- Attacker-controlled GitLab repositoryhxxps://github[.]com/locnlod/oneplan-fullstack-assignment- Attacker-controlled GitHub repository seen in phishing email targeting OnePlan spoof
- File Hashes:
35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e(SHA256) - Malicious settings.json file in repository .vscode folderc935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b(SHA256) - Malicious tasks.json file with runOn: folderOpen trigger4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78(SHA256) - run-update-hidden-launch.vbs — Windows VBS launcher script62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb(SHA256) - run-update.cmd — Windows CMD launcher scriptd3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10(SHA256) - gus-node-bootstrap.js — Node.js bootstrap for Windows Electron-based execution91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa(SHA256) - windows-agent-node.js.enc — encrypted Windows wallet stealer and Python setup payload6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0(SHA256) - windows-js-pipeline.js.enc — encrypted Windows Node.js agent pipeline2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f(SHA256) - detect_malware.py.enc — encrypted Python credential stealer with DPAPI and App-Bound Encryption bypass52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7(SHA256) - google-update-support.vsix — malicious VS Code extension masquerading as Google serviced5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e(SHA256) - extension.js — VSIX extension activation code734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f(SHA256) - run-update.sh — Linux/macOS bash launcher with embedded Base64 payloade1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667(SHA256) - google-update-support-agent.zip — packaged Overlord agenta2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86(SHA256) - google-update-support-linux-amd64 — Linux Overlord Go binarybb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81(SHA256) - google-update-support-darwin-amd64 — macOS Intel Overlord Go binary339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943(SHA256) - google-update-support-darwin-arm64 — macOS Apple Silicon Overlord Go binary808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619(SHA256) - darwin-password-prompt — fake macOS credential harvesting dialog binary
- File Paths:
.vscode/tasks.json- Hidden malicious task configuration file that auto-executes on folder open in VS Code/Cursorvendor/run-update.sh- Linux/macOS bash launcher script with embedded Base64 payloadvendor/run-update-hidden-launch.vbs- Windows VBS launcher script executed via wscript.exe //Bvendor/run-update.cmd- Windows CMD launcher that decodes embedded script and stages encrypted payloadsgus-node-bootstrap.js- Node.js bootstrap file executed inside editor's Electron process on Windowswindows-js-pipeline.js.enc- Encrypted Windows Node.js agent pipeline payloadwindows-agent-node.js.enc- Encrypted Windows wallet stealer and Python setup payloaddetect_malware.py.enc- Encrypted Python credential stealer with DPAPI and App-Bound Encryption bypassgoogle-update-support.vsix- Malicious VS Code extension masquerading as legitimate Google service; provides persistence on macOS/Linuxdarwin-password-prompt- Fake macOS system dialog binary used to harvest user passwordsgoogle-update-support-linux-amd64- Linux Overlord Go RAT binarygoogle-update-support-darwin-amd64- macOS Intel Overlord Go RAT binarygoogle-update-support-darwin-arm64- macOS Apple Silicon Overlord Go RAT binary
- Command Lines:
- Purpose: Clone malicious repository and open in VS Code, triggering auto-execution via tasks.json | Tools:
git,code| Stage: Initial Access / Execution |git clone <repo> && cd <repo> && code . - Purpose: Clone malicious repository and open in Cursor IDE, triggering silent auto-execution with no trust prompt | Tools:
git,cursor| Stage: Initial Access / Execution |git clone <repo> && cd <repo> && cursor . - Purpose: Silently execute VBS launcher script on Windows when repository folder is opened | Tools:
wscript.exe| Stage: Execution |wscript.exe //B //Nologo vendor/run-update-hidden-launch.vbs - Purpose: Decode embedded Base64 payload using certutil on Windows | Tools:
certutil| Stage: Execution / Defense Evasion |certutil -f -decode %GB% %GT% - Purpose: Remove macOS quarantine attribute from downloaded Go binary to bypass Gatekeeper | Tools:
xattr| Stage: Defense Evasion |xattr -d com.apple.quarantine - Purpose: Install malicious VSIX extension into available editors with force flag | Tools:
code,cursor,codium| Stage: Persistence / Installation |$ed --install-extension $vsix --force - Purpose: Launch Overlord Go binary detached in background on Linux/macOS | Tools:
nohup,bash| Stage: Execution |OVERLORD_GUS_WORKSPACE=$WS nohup $AGENT >/dev/null 2>&1 &
- Purpose: Clone malicious repository and open in VS Code, triggering auto-execution via tasks.json | Tools:
- Other:
4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d- Hardcoded AES-256-GCM key used to decrypt Windows encrypted payloads at runtime[email protected]- Attacker-controlled email address used in phishing campaigns[email protected]- Attacker-controlled email address used in phishing campaigns[email protected]- Attacker-controlled email address used in phishing campaigns[email protected]- Attacker-controlled email address used in April 2026 phishing campaigns[email protected]- Attacker-controlled email address used in April 2026 phishing campaigns[email protected]- Attacker-controlled email address used in April 2026 phishing campaigns[email protected]- Attacker-controlled email address used in April 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns[email protected]- Attacker-controlled email address used in May 2026 phishing campaigns