North Korean Threat Actor Targets Developers in Large-Scale Phishing Campaign A likely North Korean threat actor has conducted a sophisticated phishing campaign, targeting nearly 100 organizations primarily in the U.S. with fake job offers and code-review requests to steal cryptocurrency and credentials. The operation, tracked by Proofpoint as UNK_DeadDrop, sent over 250 malicious emails in April and May 2026, focusing on employees in technology, education, finance, and cryptocurrency firms. ### How the Attack Worked The campaign used shifting pretexts including fake full-stack developer roles, AI payment agent projects, and ERC-4626 smart-contract testing to lure victims into cloning malicious GitHub or GitLab repositories. Once opened in VS Code or Cursor, a hidden tasks.json file executed automatically, exploiting a legitimate editor feature. - VS Code displayed a trust prompt, but Cursor ran the payload silently without user interaction. - The malware installed a fake Google-themed VS Code extension, ensuring persistence by relaunching on macOS and Linux whenever the editor reopened. - Linux/macOS systems received a Go-based remote access trojan (RAT) from the open-source Overlord framework, while Windows ran JavaScript directly in the editor, leaving no disk footprint. ### Data Theft & Wallet Drainage The malware targeted cryptocurrency wallets and browser credentials, including: - Browser extensions: MetaMask, Phantom, Keplr - Desktop wallets: Exodus, Electrum, Ledger Live - Saved passwords & cookies from Chrome, Brave, Edge, and Firefox To bypass security: - macOS/Linux displayed a fake password prompt, using the input to escalate privileges and dump keychains. - Windows bypassed Chrome’s app-bound encryption to extract data. After exfiltration, the malware deleted itself to evade detection. ### Attribution & Distinct Tactics While resembling Contagious Interview a long-running North Korean operation Proofpoint tracks UNK_DeadDrop separately due to its email-led delivery, large-scale repository creation, and self-contained payloads that persist even after infrastructure takedowns. Though attribution remains unconfirmed, the campaign aligns with North Korea’s history of targeting developers since 2022.

The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Cybercriminals Hijack Freight Shipments in Sophisticated Supply Chain Attacks A financially motivated cybercrime group is targeting the surface transportation industry, using advanced tactics to steal physical cargo by compromising freight brokers and trucking carriers. Since August 2025, cybersecurity firm Proofpoint has tracked nearly two dozen campaigns involving thousands of malicious messages, resulting in the theft of high-value shipments including electronics and energy drinks which are later resold online or shipped overseas. The attackers exploit digital load boards, marketplaces where brokers and carriers arrange freight shipments, through three primary methods: - Compromised Load Boards: Using stolen credentials, they post fraudulent freight listings and send malicious links to responding carriers. - Email Thread Hijacking: They infiltrate legitimate email chains between supply chain partners, inserting malicious URLs into trusted conversations. - Direct Email Targeting: Broad phishing campaigns target logistics firms to identify and later steal high-value cargo. Once a victim clicks a malicious link, it downloads an executable or MSI file that installs legitimate but abused Remote Monitoring and Management (RMM) tools such as ScreenConnect, PDQ Connect, or LogMeIn Resolve enabling attackers to maintain control over compromised systems. While the threat actors remain unidentified, they demonstrate deep knowledge of trucking industry software and dispatch operations. To mitigate risks, Proofpoint recommends restricting unauthorized RMM tool installations, deploying network monitoring for suspicious activity, blocking executable email attachments, and training staff to recognize phishing attempts. As digital infrastructure becomes increasingly integral to supply chains, these attacks highlight the growing intersection of cyber threats and physical cargo theft, posing significant financial and operational risks to transportation companies.