Proofpoint tracks UNK_DeadDrop phishing via GitHub repos and VS Code runOn:folderOpen triggers

The campaign cloned repositories containing scripts that activated on VS Code folder open, installing loaders for macOS, Linux, and Windows. These deployed a Google-masquerading VSIX extension for reconnaissance, credential theft from wallets, and HTTP POST exfiltration. Linux/macOS chains invoked a custom Overlord Go framework; Windows used VBScript-to-CMD without persistence. Proofpoint documented 75 percent U.S. targets across finance, crypto, and tech sectors. Evidence consists of the specific GitHub artifacts, VS Code workspace settings.json entries, extension manifests, and C2 infrastructure. Initial access shifted from LinkedIn lures to mass email, with Overlord replacing prior families such as BeaverTail. No independent technical attribution to Pyongyang appears in the telemetry; the link remains researcher inference from TTP overlap with Contagious Interview. Mainstream accounts treat these as discrete North Korean operations. Procurement and job-posting patterns instead show sustained developer targeting since late 2025, using supply-chain vectors that bypass endpoint controls. The tactic scales credential harvesting without custom implants on every host. Future activity will likely expand Cursor and additional IDE triggers while rotating C2 domains. Detection requires monitoring workspace configuration changes and unexpected VSIX installations rather than relying on binary signatures.