I was likely targeted by DPRK in a sophisticated developer malware campaign
Contents
On May 25th, 2026, I received a remote smart-contract-security recruiting email from “Olivia Ben” at “Pulsynk.” It asked me to clone a GitLab repository called rekt-db
and open it in VS Code or Cursor. The repository turned out to contain a hidden folder-open task, a malicious extension installer, and native wallet/credential-stealing binaries for macOS and Linux.
I did not run it. The mechanics are consistent with DPRK developer-targeting campaigns such as Microsoft’s Contagious Interview (MITRE G1052), but I am treating the attribution as tradecraft similarity, not proof of operator identity.
Update (May 26, 2026)
Two pleasant surprises since publishing this post.
First, the Swiss GovCERT team actually replied to my report — promptly, professionally, and with follow-up questions. I had expected reporting to NCSC to be a formality with little practical effect, so this was a very pleasant surprise. Well done — this only guarantees I’ll report more in the future.
Second, GitLab has removed the …
and open it in VS Code or Cursor. The repository turned out to contain a hidden folder-open task, a malicious extension installer, and native wallet/credential-stealing binaries for macOS and Linux.
I did not run it. The mechanics are consistent with DPRK developer-targeting campaigns such as Microsoft’s Contagious Interview (MITRE G1052), but I am treating the attribution as tradecraft similarity, not proof of operator identity.
Update (May 26, 2026)
Two pleasant surprises since publishing this post.
First, the Swiss GovCERT team actually replied to my report — promptly, professionally, and with follow-up questions. I had expected reporting to NCSC to be a formality with little practical effect, so this was a very pleasant surprise. Well done — this only guarantees I’ll report more in the future.
Second, GitLab has removed the …
IoC
http://23.137.105.75:5173
http://23.137.105.75
http://159.135.228.5
159.135.228.5
23.137.105.75
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
3b1ff1ac2120b0a9b852e686d10b4b2526d41f08c4c6361160efeefb588aaf77
http://23.137.105.75
http://159.135.228.5
159.135.228.5
23.137.105.75
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
3b1ff1ac2120b0a9b852e686d10b4b2526d41f08c4c6361160efeefb588aaf77