{
	"id": "904a9e5c-e447-4cc5-a254-3ff5deb54bd0",
	"created_at": "2026-05-06T02:02:48.638804Z",
	"updated_at": "2026-05-06T02:03:52.678346Z",
	"deleted_at": null,
	"sha1_hash": "575762f4b3a32f4518b378b7cc5490bb4f44a91a",
	"title": "Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1111581,
	"plain_text": "Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware\r\nvia Code Repositories\r\nBy By: Lucas Silva Apr 21, 2026 Read time: 11 min (3007 words)\r\nPublished: 2026-04-21 · Archived: 2026-05-06 02:01:41 UTC\r\nKey takeaways\r\nVoid Dokkaebi (aka Famous Chollima) has evolved beyond single-target social engineering into a self-propagating supply chain threat. A compromised developer’s repository becomes an infection vector for the\r\nnext wave of victims, creating a worm-like propagation chain through the developer ecosystem.\r\nThe campaign spreads through trusted development workflows, using malicious VS Code tasks and\r\ninjected code that can execute during normal development activity. When compromised code reaches\r\norganizational or popular open-source repositories, contributors, forks, and downstream projects can also\r\nbe exposed.\r\nAnalysis in March 2026 identified more than 750 infected repositories, over 500 malicious VS Code task\r\nconfigurations, and 101 instances of the commit tampering tool. Repositories belonging to organizations\r\nsuch as DataStax and Neutralinojs were also identified carrying infection markers.\r\nThe campaign uses blockchain infrastructure for payload staging, including Tron, Aptos, and Binance\r\nSmart Chain, which puts parts of its delivery infrastructure beyond traditional takedowns.\r\nIntroduction\r\nVoid Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically\r\ntargets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous\r\nintegration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by\r\nTrendAI™ Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into\r\ncloning and executing code repositories as part of fabricated job interviews. This is a pattern independently\r\ntracked across the industryopen on a new tab since 2024, but less attention has been paid to what happens after the\r\ninitial compromise.\r\nOur analysis reveals that Void Dokkaebi’s operations do not end with a single infected developer. The\r\ncompromised machine becomes a launchpad, with the threat actor weaponizing the victim’s own repositories and\r\nturning their code contributions into infection vectors for downstream developers. The result is a self-sustaining\r\npropagation chain resembling a worm’s behavior rather than a traditional targeted attack. This report details the\r\npropagation model, the malware it delivers, the scale of contamination we observed, and what organizations can\r\ndo about it.\r\nThe infection paths and how the worm spreads\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 1 of 10\n\nThe propagation relies on two distinct mechanisms that work in tandem. The first spreads passively through Visual\r\nStudio Code (VS Code) workspace configurations that travel with committed code. The second is an active\r\ntechnique where the threat actor, having gained remote access to a developer’s machine, injects obfuscated\r\nJavaScript into the victim’s repositories and rewrites git history to conceal the tampering.\r\nFigure 1. Infection paths used by Void Dokkaebi, with the first flow done via VSCode and the\r\nsecond via active injection\r\nThe initial infection begins with a fabricated job interview where the victim is asked to clone a code repository\r\nand review or run it as part of a technical assessment. The repositories are hosted on GitHub, GitLab, or\r\nBitbucket, and appear to be legitimate coding projects. The delivery mechanism abuses VS Code’s workspace task\r\nsystem, a technique that has been independently documented by Microsoftopen on a new tab,\r\nOpenSourceMalwareopen on a new tab, and Abstract Securityopen on a new tab.\r\nThe attack works as follows:\r\n1. The repository contains a .vscode/tasks.json file with a task configured to run automatically when the\r\nworkspace is opened (runOn: folderOpen).\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 2 of 10\n\n2. When the victim opens the project in VS Code and accepts the workspace’s trust prompt, the task executes\r\nwithout further interaction.\r\n3. In some cases, the task fetches the backdoor directly from a remote URL. In others, it launches a font or\r\nimage file bundled in the repository that contains the malicious payload, a different execution variant that\r\nachieves the same result.\r\nThe developer’s ecosystem is compromised at this point, but the worm-like behavior begins when the victim\r\ncommits that code to GitHub. Whether pushing the project itself or reusing components in other work, the\r\nmalicious .vscode/tasks.json is committed along with it. The .vscode folder is hidden by default in file explorers\r\nand is commonly absent from .gitignore files, making it an effective trojan horse. Any developer who\r\nsubsequently clones that repository and opens it in VS Code receives the same trust prompt. If accepted, the cycle\r\nrepeats.\r\nThis creates a self-propagating chain. Each compromised developer seeds new repositories with the infection\r\nvector, and each new victim becomes a potential distributor. Unlike traditional social engineering where the attack\r\nends with the initial target, here the range of infection expands with every commit.\r\nFlow 2: Active injection and commit tampering\r\nIn parallel, we observed a second propagation mechanism. Users who were already compromised by Void\r\nDokkaebi had multistage obfuscated JavaScript code added to the source code files in their repositories.\r\nThe threat actor targets various configuration files and common entry points, choosing files that developers are\r\nless likely to scrutinize closely. The obfuscated JavaScript, which functions as the multistage loader described in\r\nthe next section, is added to the end of the file.\r\nWhitespace is often added to push this additional code to the right edge of the screen and make it invisible during\r\ncasual code review, or when inspecting code differences. Because these configuration files are evaluated as\r\nJavaScript by Node.js tooling (e.g., build tools, linters, bundlers), any code appended to them executes\r\nautomatically whenever the corresponding tool runs.\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 3 of 10\n\nFigure 2. Code snippets of a GitHub repository containing the injected code\r\nBoth the code injection and its concealment are performed remotely through malware installed during the initial\r\ncompromise (flow 1). To conceal the tampering, the threat actor employs a Windows batch script\r\n(temp_auto_push.bat) that extracts metadata from the most recent Git commit, its date, time, author name, email,\r\nand commit message.\r\nThey then temporarily alter the system clock to match the original commit’s timestamp. The modified commit is\r\namended with the injected code while preserving all original authorship metadata. The --no-verify flag is used to\r\nbypass pre-commit hooks and CI/CD security checks. After the amendment, the system clock is restored, and the\r\nrewritten commit is force-pushed to the remote branch. In the git history, the injection appears indistinguishable\r\nfrom the original commit.\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 4 of 10\n\nFigure 3. Code snippets of the temp_auto_push.bat script\r\nIn some compromised repositories, we observed both techniques being present simultaneously (i.e., the malicious\r\n.vscode/tasks.json alongside the appended obfuscated JavaScript). We believe that there were cases where\r\ndevelopers fell victim to both propagation methods separately, but also cases where the attackers used both\r\ntechniques on one victim.\r\nThis “double infection” mechanism provides redundancy. The tasks.json catches developers using VS Code\r\n(triggering on folder open), while the injected JavaScript executes for anyone who builds or runs the project\r\nregardless of their IDE. Together, they guarantee malware execution.\r\nThe organizational amplifier\r\nThe worm-like propagation poses higher risk when it reaches developers with commit access to organizational or\r\npopular open-source repositories. We identified compromised repositories belonging to the following\r\norganizations:\r\nDataStaxopen on a new tab: At least five repositories found compromised between January 31 and\r\nFebruary 3, 2026, which have since been cleaned.\r\nNeutralinojsopen on a new tab: They had 8,400 stars and 495 forks, where all four repositories were force-pushed with malicious commits in a single automated burst on March 2, 2026. The commits were\r\nbackdated between 5 and 35 days to blend with legitimate history, and the attack went undetected for 3\r\ndays until identified and remediated by the OpenSourceMalware teamopen on a new tab.\r\nThese organizations were found carrying malicious code snippets consistent with these techniques. While we\r\ncannot confirm the exact chain of events within these organizations, the indicators are consistent with a scenario\r\nwhere a contributor with commit access was first compromised through the social engineering lure (flow 1),\r\nwhich subsequently enabled the infection of the organizational repositories (flow 2). Once a repository of this\r\nscale is compromised, every contributor, every fork, and every downstream project that depends on it becomes a\r\npotential victim. This amplifies the scope of the campaign from a single developer to an entire ecosystem.\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 5 of 10\n\nThis propagation model is fundamentally different from traditional supply chain attacks, such as the SolarWinds\r\nincident that required the compromise of the build infrastructure. Here, no build system is breached. The attack\r\nexploits something far simpler:\r\nDeveloper workflow habits\r\nThe tendency to not include .vscode folders in gitignore\r\nNot reviewing configuration files line by line\r\nTrusting the contents of their own repositories.\r\nIt is also distinct from traditional network worms, which exploit software vulnerabilities to propagate. This\r\ncampaign propagates through trust in development tools, in colleagues’ commits, and in open-source projects.\r\nWith the propagation model established, we now turn to the malware that these infection vectors deliver.\r\nThe malware in brief: DEV#POPPER RAT variant\r\nThe tasks.json vector (flow 1) acts as a straightforward downloader, fetching and executing a payload from a\r\nremote URL or bundled file.  However, the obfuscated JavaScript injected into source code files (flow 2) is part of\r\na more complex approach. It functions as a multistage loader, which is designed to retrieve and execute payloads\r\nfrom blockchain infrastructure. It progresses through four stages, each employing layers of string shuffling,\r\nhexadecimal obfuscation, and character swap algorithms to hinder analysis.\r\nThe loader queries the Tron blockchain API to fetch a transaction from a hardcoded wallet address. The data\r\nextracted from this transaction is used as a reference key to retrieve an encrypted payload from a Binance Smart\r\nChain (BSC) transaction’s input data field. If the Tron query fails, the loader falls back to the Aptos blockchain as\r\nan alternative data source.\r\nThe retrieved payload is XOR-decrypted using a hardcoded key and executed via eval() or by spawning a\r\npersistent hidden background process. Across stages, the loader rotates wallet addresses and transaction hashes,\r\nallowing each stage to independently update its pointers by simply posting a new transaction to the corresponding\r\nblockchain without modifying the malware’s code.\r\nThis blockchain-based staging mechanism is particularly significant because it functions as a general-purpose\r\ndelivery platform. Since the payload is retrieved dynamically from immutable blockchain transactions, the threat\r\nactor can deliver any malware from their toolset by simply updating the blockchain reference, including other\r\nmalware that have been linked to North Korea, such as InvisibleFerret, OtterCookie, OmniStealer,\r\nDEV#POPPER, and BeaverTail, all of which have been observed in Void Dokkaebi’s operations. A single infected\r\nrepository can serve as a delivery vector for different payloads at different times, depending on the threat actor’s\r\noperational objectives.\r\nDEV#POPPER RAT\r\nOne of the payloads delivered through this infrastructure is a variant of the DEV#POPPER RAT (version marker\r\n260311), a cross-platform Node.js remote access trojan (RAT) previously documented by eSentireopen on a new\r\ntab.\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 6 of 10\n\nThe variant we analyzed introduces a multi-operator session management system, where several operators can\r\nwork on a compromised machine simultaneously through independent command queues. This indicates team-based operations rather than a single attacker.\r\nThe backdoor communicates with its command-and-control (C\u0026C) server via WebSocket (using socket.io-client).\r\nIt uses HTTP for file uploads, directory exfiltration, and logging,  specifically through the ‘/verify-human/[VERSION]’ endpoint for heartbeat and notification, and ‘/u/f’ for data exfiltration.\r\nThese distinctive network patterns provide researchers and analysts with reliable signatures for identifying\r\ninfected devices. WebSocket connections to unexpected endpoints combined with HTTP traffic matching these\r\nURL patterns on developer workstations are strong indicators of compromise.\r\nTwo aspects of this variant are directly relevant to the propagation model:\r\nThe RAT specifically detects and avoids CI/CD environments (e.g., GitLab CI, BuildBot) and cloud\r\nsandboxes, executing only on real developer workstations. This means automated pipeline scanning will\r\nmiss it entirely.\r\nFor persistence, it injects versioned code (markers: C250617A through C250620A) into developer\r\napplications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop) and creates a hidden\r\n.node_modules folder for Node.js module search order hijacking. This persistence into developer tooling\r\ncreates additional opportunities for the worm-like propagation described earlier.\r\nThe scale of contamination\r\nTo quantify the campaign’s reach, we scanned public code hosting platforms in late March 2026. The following\r\nstatistics provide a snapshot of the contamination across public repositories.\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 7 of 10\n\nFigure 4. The scale of infection as per TrendAI™ Research analysis in late March\r\nOur scan identified over 750 unique repositories containing the obfuscated JavaScript loader, identified by the\r\nglobal['!'] initialization marker. However, in several instances, multiple repositories were infected, resulting in a\r\nhigher number of source code files being compromised.\r\nAn additional 60 source code files carried a variant loader using a different marker, (global['_V']). This suggests\r\neither an evolution of the tooling or a separate Void Dokkaebi cluster operating with modified tooling, a pattern of\r\noperational autonomy we also observed in the RAT variants discussed in earlier sections.\r\nOn the VS Code infection vector, we found 392 .vscode/tasks.json files configured as downloaders and 131\r\nadditional tasks.json files launching fake font or image files. They are a different execution variant but have the\r\nsame underlying infection mechanism. Any developer who clones the containing repository and opens it in VS\r\nCode will be prompted to trust the workspace. If accepted, the malicious task executes automatically.\r\nWe found the commit tampering tool (temp_auto_push.bat) in at least 101 repositories. This is direct evidence that\r\nthe threat actor had active remote access to the developer’s machine and deliberately chose to weaponize their\r\nrepositories, regardless of whether the injected JavaScript was still present at the time of our scan.\r\nThe infected repositories (numbering more than 750) include threat actor-operated repositories and legitimately\r\ncompromised users’ repositories, and possibly a mix of both. We cannot determine in every case whether the\r\ninjection was performed via the commit tampering tool or through direct file manipulation.\r\nThese numbers represent what was visible on public code repositories at the time of our analysis. The actual scale\r\nof contamination is likely larger. Figure 4 does not include repositories that were identified and cleaned before our\r\nscan, private repositories not indexed by public search, and forks or clones that propagated the infection to\r\nenvironments we cannot observe.\r\nThe numbers also represent the downstream impact of cascading propagation and not the number of individually\r\ncompromised developers. A single compromised developer can infect multiple files across several repositories.\r\nEach compromised developer’s repositories became the infection source for the next wave of victims. When\r\nviewed alongside the organizational cases discussed earlier, this points to a self-sustaining campaign where a\r\nrelatively small, initial investment in social engineering can produce a large infection surface.\r\nActionable guidance\r\nThe following recommendations directly address the mechanisms Void Dokkaebi relies on for propagation and\r\npersistence. These are prioritized by impact:\r\nUse isolated environments for interview coding assignments. Never execute code from job interviews on\r\nproduction or personal machines. Use disposable virtual environments destroyed after the assessment. This\r\nis the single most effective way to prevent the initial compromise.\r\nAdd .vscode/ to .gitignore and enforce this across organizational repositories. This breaks the passive worm\r\npropagation vector entirely.\r\nEnforce branch protection and signed commits. Block force pushes, require pull requests, and require\r\nGPG- or SSH-signed commits. The commit-tampering tool relies on git push --force and cannot forge\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 8 of 10\n\ncryptographic signatures. These controls directly neutralize it.\r\nAudit repositories for known infection markers. Search for global['!'] and global['_V'] in source code files,\r\nand check for temp_auto_push.bat. If found, assume that the developer workstation was compromised.\r\nIsolate the machine, revoke credentials, and notify collaborators and downstream consumers.\r\nScrutinize configuration file changes. Files such as postcss.config.mjs, tailwind.config.js, eslint.config.mjs,\r\nand next.config.mjs are targeted because they are rarely reviewed closely. Inspect for content appended\r\nbeyond the visible area of the screen. Apply the same review rigor as application source code.\r\nMonitor for blockchain API and C\u0026C traffic. Outbound connections to api.trongrid.io,\r\nfullnode.mainnet.aptoslabs.com, and Binance Smart Chain RPC endpoints from developer workstations are\r\nhigh-confidence indicators. Additionally, monitor for connections to MongoDB port 27017 and HTTP\r\npatterns /u/f and /verify-human/[VERSION].\r\nDo not rely solely on CI/CD pipeline scanning.  The RAT detects and avoids CI/CD environments.\r\nEndpoint-level detection on developer workstations is essential.\r\nTreat VS Code workspace trust prompts as a security decision. Inspect .vscode/tasks.json for runOn:\r\nfolderOpen tasks before granting trust.\r\nApply network-level blocks for known infrastructure. The section on indicators of compromise (IoCs) lists\r\nVercel-hosted downloaders, URL shortener redirectors, and C\u0026C addresses associated with this campaign.\r\nThese IoCs can support detection and threat hunting for related activity across the environment.\r\nInclude interview-based social engineering in security awareness training. The attack pattern, “clone and\r\nrun this repo as part of your interview,” should be part of developer-focused security programs.\r\nConclusion\r\nVoid Dokkaebi’s recent activities represent a shift in how supply chain attacks can operate. Rather than\r\ncompromising build systems or package registries, the threat actor exploits the trust developers place in their own\r\ntools, their colleagues’ commits, and the open-source projects they depend on. A single compromised developer\r\nbecomes the seed for an infection that propagates across personal repositories, organizational codebases, and\r\npopular open-source projects without requiring any further social engineering.\r\nThe scale of infection also confirms that this is an active and expanding campaign. Organizations that treat\r\ndeveloper workstations and repository workflows as part of their attack surface will be better positioned to detect\r\nand disrupt this threat before it propagates.\r\nTrendAI™ Research will keep tracking Void Dokkaebi and related campaigns, delivering actionable intelligence\r\nso that your organization stays ahead of emerging threats. Our threat intelligence, paired with advanced detection\r\ncapabilities, helps keep your organization protected against sophisticated attacks going after cryptocurrency assets\r\nand sensitive enterprise data.\r\nTrendAI Vision One™ customers are protected from the IoCs listed in the table below.\r\nTrendAI Vision One™ Threat Intelligence Hub\r\nTrendAI Vision One™ Threat Intelligence Hubproducts provides the latest insights on emerging threats and threat\r\nactors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 9 of 10\n\nin the TrendAI Vision One™ platform.\r\nEmerging Threats:  Fake Interview Lures Used by Void Dokkaebi to Spread Malware Through Git Repositories\r\nThreat Actor: Void Dokkaebi\r\nTrendAI Vision One™ Intelligence Reports (IOC Sweeping) \r\nFake Interview Lures Used by Void Dokkaebi to Spread Malware Through Git Repositories\r\nHunting Queries \r\nTrendAI Vision One™ Search App \r\nTrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.    \r\nPontential Code Commit File Created\r\neventSubId: 101 AND objectFilePath: temp_auto_push.bat\r\nOutbound Connection to Potential Void Dokkaebi C2\r\neventSubId: (204 OR 301) AND dst: (136.0.9.8 OR 198.105.127.210 OR 23.27.202.27 OR 154.91.0.196 OR\r\n23.27.20.143 OR 85.239.62.36 OR 83.168.68.219 OR 166.88.4.2 OR 23.27.120.142)\r\nMore hunting queries are available for TrendAI Vision One™ with  Threat Intelligence Hub entitlement enabled. \r\nIndicators of Compromise (IoCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositorie\r\ns.html\r\nhttps://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html"
	],
	"report_names": [
		"void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html"
	],
	"threat_actors": [],
	"ts_created_at": 1778032968,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/575762f4b3a32f4518b378b7cc5490bb4f44a91a.pdf",
		"text": "https://archive.orkl.eu/575762f4b3a32f4518b378b7cc5490bb4f44a91a.txt",
		"img": "https://archive.orkl.eu/575762f4b3a32f4518b378b7cc5490bb4f44a91a.jpg"
	}
}