Proofpoint observed UNK_DeadDrop, a very likely North Korea-aligned developer phishing cluster, sending more than 250 emails to targets at nearly 100 organizations in April and May 2026, especially across cryptocurrency, finance, technology, education, and business services. The actor used recruitment, code-review, Foundry testing, and AI payments lures to drive developers to malicious GitHub and GitLab repositories that abused VS Code and Cursor task automation and installed a malicious VSIX extension. Linux and macOS payloads used Overlord-derived Go RATs with persistent WebSocket C&C, while the Windows chain ran JavaScript and Python inside the editor's Electron process to steal cryptocurrency wallets, browser credentials, keychain or keyring data, and standalone wallet artifacts. Proofpoint notes overlap with Contagious Interview tradecraft but tracks UNK_DeadDrop as a distinct cluster due to separate telemetry, email-based initial access, self-contained payloads, and distinct infrastructure.