A fake Pulsynk recruiting email targeted a smart-contract security developer with instructions to clone a GitLab repository and open it in VS Code or Cursor. The repository abused a `.vscode/tasks.json` folder-open task to install a malicious VS Code extension masquerading as Google Update Support, which then dropped native Go implants for macOS and Linux. The malware sought cryptocurrency wallets, browser credentials and sessions, SSH keys, `.env` files, package-manager tokens, and credential-store data, with a macOS fake System Security Update prompt used to harvest login credentials. Its encrypted WebSocket C2 used `23.137.105.75:5173` and upload paths disguised as company-wallet endpoints, while strings and environment variables overlapped with the public Overlord RAT project. The author notes overlap with DPRK-linked Contagious Interview developer targeting but treats attribution as tradecraft similarity rather than proof of operator identity.