A sophisticated cyber campaign, attributed to the North Korea-linked hacking group Void Dokkaebi (also known as Famous Chollima), is targeting software developers by leveraging fake job interviews to distribute malware. The attackers entice developers into cloning malicious code repositories disguised as technical assessments, thereby transforming their machines and development projects into vectors for further malware dissemination. This deceptive strategy highlights an evolving threat landscape where even routine professional interactions can become attack surfaces.
The scheme commences with threat actors impersonating recruiters from prominent cryptocurrency and artificial intelligence companies. These actors engage developers on professional networking platforms and, during a fabricated interview process, instruct them to clone a repository from platforms like GitHub, GitLab, or Bitbucket as a coding challenge. These repositories, which appear to be legitimate projects, contain covert malicious code designed to activate as soon as the developer opens the project folder.
A particularly alarming aspect of this campaign, as identified by Trend Micro researchers, is its self-propagating nature. Void Dokkaebi does not cease operations after compromising an individual developer. Instead, the group exploits the victim’s own machine and repositories to infect subsequent developers, creating a worm-like infection chain that spreads across organizations without requiring additional social engineering efforts for each new target. By March 2026, the scale of the operation had become substantial, with over 750 infected repositories, more than 500 malicious VS Code task configurations, and 101 instances of a commit tampering tool identified across public code hosting platforms. The presence of infection markers in repositories associated with established organizations like DataStax and Neutralinojs indicates the campaign’s reach into popular open-source projects.
Inside Void Dokkaebi’s Infection Chain
The campaign employs a multi-pronged approach, combining two primary attack vectors. The first method abuses Visual Studio Code’s workspace configuration files, specifically the hidden .vscode/tasks.json file. This file is engineered to execute automatically when a developer opens the project folder. Upon accepting the workspace trust prompt, the malicious task is triggered, fetching a backdoor from a remote URL or launching a disguised payload embedded within the repository.
The second method involves a more direct infiltration. Once remote access to a developer’s machine is secured, obfuscated JavaScript code is injected into the source files of the victim’s own repositories. This malicious code is strategically concealed using whitespace to the far right of the screen, evading quick code reviews. A batch script, identified as temp_auto_push.bat, is then utilized to rewrite the Git commit history. This script copies the original author’s name, timestamp, and message before force-pushing the tampered version, thereby presenting it as a legitimate, original commit.
The ultimate payload delivered through these methods is a variant of the DEVSPOPPER remote access trojan (RAT). This RAT is a cross-platform tool built with Node.js. It establishes communication with a command-and-control (C2) server via WebSocket and employs HTTP for data exfiltration. A notable feature of DEVSPOPPER is its multi-operator session system, which allows multiple threat actors to simultaneously control a single compromised machine. Furthermore, the RAT is designed to detect and actively avoid executing within Continuous Integration/Continuous Deployment (CI/CD) environments and cloud sandboxes, ensuring it only runs on actual developer workstations and remains undetected by automated pipeline scanning.
To mitigate the risks associated with this evolving threat, developers and organizations can adopt several preventative measures. It is strongly advised to always execute code provided during interviews within isolated or disposable virtual environments that are subsequently destroyed. Executing such code on personal or production machines should be strictly forbidden. Incorporating .vscode/ into the .gitignore file and enforcing this across all organizational repositories can effectively prevent passive worm propagation. Mandating GPG- or SSH-signed commits, coupled with branch protection and mandatory pull requests, can serve as a safeguard against the commit-tampering tool.
Organizations should also conduct thorough audits of their source code for infection markers, specifically looking for global’.!′ and global’_V’, and check for the presence of the temp_auto_push.bat script. Vigilant monitoring of outbound connections from developer workstations to blockchain API endpoints, such as api.trongrid.io and Binance Smart Chain RPC endpoints, is also recommended. Given that the DEVSPOPPER RAT evades CI/CD environments by design, endpoint-level detection on individual developer workstations becomes a critical defense layer.
The continued activity of Void Dokkaebi underscores the persistent threat to the software development supply chain. Future efforts by the group are likely to focus on refining their social engineering techniques and expanding the reach of their malware, potentially targeting a broader range of open-source projects and development tools. Organizations will need to maintain heightened vigilance and adapt their security protocols to counter these sophisticated and adaptive threats emanating from state-sponsored actors.