OnePlan A.I CyberSecurity Scoring
OnePlan
Company Information
Website:http://www.oneplan.ai
Employees number:171
Number of followers:12,068
NAICS:5112
Industry Type:Software Development
Homepage:oneplan.ai
OnePlan Risk Score (AI oriented)
Between 700 and 749
OnePlanSoftware Development
Updated:
08/06/2026
08/06/2026
736/1000
Moderate
Ba
OnePlan Global Score (TPRM)
xxxx
OnePlanSoftware Development
Score locked

OnePlanModerate
Current Score
736Ba (MODERATE)
01000
1 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
736
JUNE 2026
736
MAY 2026
736
APRIL 2026
753
Cyber Attack
01 Apr 2026 • OnePlan
NXLog, OnePlan, Hypen Connect, Empower Pharmacy, Valon and Ondo Finance: Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto
North Korean-Linked Phishing Campaign Targets Developers in Credential and Crypto Theft Scheme (UNK_DeadDrop)
734
CRITICAL-19
ONENXLHYPINOONDEMP1780957588
North Korean-Linked Phishing Campaign Targets Developers in Credential and Crypto Theft Scheme
A newly identified phishing campaign, tracked as UNK_DeadDrop and suspected to be linked to North Korea, has targeted over 250 individuals across nearly 100 organizations primarily in the U.S. between April and May 2024. The operation, uncovered by Proofpoint threat researchers, aims to steal developer credentials and cryptocurrency wallets through deceptive job offers and code review requests.
### Attack Methodology
The campaign begins with unsolicited emails spoofing legitimate companies, including Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish. These messages offer fake roles such as "Full-Stack Engineer" or "Agent Lead Developer" and direct victims to malicious GitHub repositories disguised as coding assignments or cryptocurrency projects.
In May, the attackers shifted tactics, sending peer-review requests for open-source projects under the guise of companies like Pulsynk and Trixauvex, or soliciting Ethereum smart contract testing via Foundry. When victims open the repositories in VS Code or Cursor, a pre-configured task executes, deploying cross-platform malware on Windows, macOS, and Linux.
### Malware Execution & Payloads
- Linux & macOS: The malware uses a Go-based backdoor derived from the Overlord C2 framework, a legitimate red-team tool repurposed for malicious use. It includes modules for:
- Browser credential theft (Chrome, Firefox, and Chromium-based browsers).
- Cryptocurrency wallet exfiltration (MetaMask, Phantom, Exodus, Ledger Live, etc.).
- Anti-forensic cleanup to remove traces.
On macOS, the malware displays a fake system password prompt to escalate privileges, while on Linux, it uses Zenity for credential harvesting.
- Windows: The attack runs as JavaScript within VS Code’s Electron process, targeting 35 wallet extensions, 18 standalone wallets, and browser profiles. It installs Python-based stealers to extract credentials, cookies, and encrypted browser data, then exfiltrates them to attacker-controlled servers.
### Infrastructure & Evolution
Unlike previous North Korean-linked campaigns (e.g., Contagious Interview), UNK_DeadDrop relies on email-based phishing rather than social media, suggesting a scaled, industrialized approach. The attackers maintain distinct infrastructure, using GitHub repositories themed around cryptocurrency, exploits, AI payments, and Foundry testing to lure victims.
### Impact & Implications
The campaign highlights North Korea’s evolving cybercrime tactics, shifting from high-touch social engineering to large-scale phishing for financial gain. The use of legitimate tools (Overlord, Foundry, GitHub) and cross-platform malware underscores the growing sophistication of state-aligned threat actors targeting developers, financial services, and tech firms.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
753
FEBRUARY 2026
753
JANUARY 2026
753
DECEMBER 2025
753
NOVEMBER 2025
753
OCTOBER 2025
753
SEPTEMBER 2025
753
AUGUST 2025
753
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for OnePlan ??
What was OnePlan's A.I Rankiteo Cyber Score in June 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in May 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in April 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in March 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in February 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in January 2026 ??
What was OnePlan's A.I Rankiteo Cyber Score in December 2025 ??
What was OnePlan's A.I Rankiteo Cyber Score in November 2025 ??
What was OnePlan's A.I Rankiteo Cyber Score in October 2025 ??
What was OnePlan's A.I Rankiteo Cyber Score in September 2025 ??
What was OnePlan's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on OnePlan's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with OnePlan ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view OnePlan's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?