Void Dokkaebi Hackers Use Fake Job Interviews to Spread Malware via Code Repositories

Home Cyber Security News Void Dokkaebi Hackers Use Fake Job Interviews to Spread Malware via Code... A North Korea-linked hacking group known as Void Dokkaebi, also tracked as Famous Chollima, is running a campaign that tricks software developers into installing malware through fake job interviews. The group lures developers into cloning infected code repositories as part of a fabricated coding test, then turns their machines and projects into malware-spreading tools. The attack starts with a convincing setup. Threat actors pose as recruiters from cryptocurrency and artificial intelligence firms, reaching out to developers on professional platforms. During a fake interview, the target is asked to clone a repository on GitHub, GitLab, or Bitbucket and run it as a “technical assessment.” These repositories look like legitimate projects but carry hidden malicious code that runs the moment the developer opens the folder. What makes this campaign dangerous is what happens after that first infection. Trend Micro analysts identified that Void Dokkaebi does not stop at a single compromised developer. The attacker uses the victim’s own machine and repositories to infect the next wave of developers, creating a worm-like chain that spreads across organizations without further social engineering. By March 2026, the scale had grown significantly. Analysis by Trend Micro Research identified more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 instances of a commit tampering tool across public code hosting platforms. Repositories belonging to organizations such as DataStax and Neutralinojs were also found carrying infection markers, showing the campaign had reached into popular open-source projects. Once a compromised developer pushes code to GitHub or reuses components elsewhere, the malicious files travel with it, waiting for the next developer to open the project and trigger the attack, creating a cycle that grows with every commit. Inside the Infection Chain The campaign uses two methods working together. The first abuses Visual Studio Code workspace files, specifically a hidden file called .vscode/tasks.json, configured to run automatically when the developer opens the project folder. When the developer accepts the workspace trust prompt, the malicious task executes without further interaction, fetching a backdoor from a remote URL or launching a disguised file inside the repository carrying the payload. Infection paths used by Void Dokkaebi (Source – Trend Micro) The second method is more direct. After gaining remote access to a developer’s machine, obfuscated JavaScript is injected into source files in the victim’s own repositories. The code is pushed to the far right of the screen using whitespace, hiding it during quick reviews. A batch script called temp_auto_push.bat rewrites git commit history by copying the original author name, timestamp, and message before force-pushing the tampered version to appear as a legitimate commit. Code snippets of a GitHub repository containing the injected code (Source – Trend Micro) The delivered payload is a variant of the DEVSPOPPER remote access trojan, a cross-platform Node.js-based tool. It connects to a command-and-control server via WebSocket and uses HTTP for file exfiltration. A multi-operator session system lets several threat actors work on one compromised machine at the same time. The RAT detects and avoids CI/CD environments and cloud sandboxes, running only on real developer workstations, so automated pipeline scanning will miss it. Developers and organizations can take steps to reduce exposure. Always run interview code in isolated or disposable virtual environments destroyed after the session, and never execute it on personal or production machines. Add .vscode/ to .gitignore and enforce this across all organizational repositories to block passive worm propagation. Require GPG- or SSH-signed commits with branch protection and mandatory pull requests to stop the commit-tampering tool. Audit source code for infection markers global ′ ! ′ ′!′ and global’\_V’, and check for temp_auto_push.bat. Monitor outbound connections to blockchain API endpoints such as api.trongrid.io and Binance Smart Chain RPC endpoints from developer workstations. Endpoint-level detection on developer workstations is essential since the RAT avoids CI/CD environments by design. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Xiongmai IP Camera Vulnerability Let Attackers Bypass Authentication and have Remote Access Cyber Security News Python Vulnerability Allows Out-of-Bounds Write on Windows Systems Cyber Security Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026