🇰🇵 North Korean Hackers Using GitHub and VS Code to Steal Cryptocurrency
16 June 2026 — A North Korean threat group known as Contagious Interview (Famous Chollima) has launched a sophisticated campaign targeting software developers through fake recruitment emails containing malicious GitHub repositories.
How the Attack Works
The hackers send emails posing as recruiters or code reviewers, asking recipients to clone a GitHub repository and open it in Visual Studio Code or Cursor. The repository contains malicious VS Code projects that use the runOn: folderOpen technique — meaning the code executes automatically the moment you open the project.
No user interaction required.
The attack chain:
- Email arrives — looks like a coding interview test or open-source code review request
- Victim clones the repo from GitHub
- Opens it in VS Code — the malicious extension runs immediately
- Malware installs — a fake "Google" extension that steals:
- Browser cryptocurrency wallet extensions
- Saved credentials
- Desktop wallet applications
- System passwords (via fake security pop-ups)
The Scale
- 250+ emails sent over six weeks
- 100 organisations targeted across finance, cryptocurrency, education, and tech
- 75% in the US, with UK, Australia, France, and others also targeted
- Cross-platform — Windows, macOS, and Linux all affected
Cross-Platform Infection
| OS | Infection Method | Payload |
|---|---|---|
| macOS | Shell script | Overlord framework + data theft |
| Linux | Shell script | Overlord framework + data theft |
| Windows | VBScript → CMD → VSIX | Wallet theft + credential stealing |
Why This Is Dangerous
This marks a shift in North Korean hacking operations. Instead of the traditional LinkedIn-based social engineering, they're now running industrial-scale email campaigns with malicious code repositories. The use of legitimate developer tools (VS Code, GitHub) makes it much harder to detect.
How Developers Can Protect Themselves
- Never clone repositories from unsolicited emails, even if they look like legitimate job offers
- Inspect VS Code projects before opening them — check the
.vscodeand.githubdirectories - Disable automatic extension installation in VS Code settings
- Be suspicious of coding tests that involve cloning a repo rather than a standalone coding challenge
- Use a dedicated virtual machine for any code from unknown sources
- Verify the recruiter — check they work at the company they claim to represent
If You've Been Targeted
- Disconnect the affected device from the internet
- Check for suspicious VS Code extensions or scheduled tasks
- Move cryptocurrency to a new wallet created on a clean device
- Change all passwords from a trusted device
- Report to Action Fraud on 0300 123 2040
Source: The Hacker News / Proofpoint / DomainTools