DPRK 'Contagious Interview' Scam Evolves Into Self-Propagating Supply Chain Attack Via Malicious VS Code Tasks
North Korean threat actor Void Dokkaebi has weaponized fake job interviews to turn compromised developer repositories into worm-like infection vectors, infecting over 750 repos in March 2026 alone.
The infamous North Korean fake job scam known as 'Contagious Interview' has evolved into a self-propagating supply chain attack that uses compromised developer repositories as worm-like infection vectors, according to a new report from Trend Micro. The campaign, attributed to the North Korean threat actor tracked as Void Dokkaebi (aka Famous Chollima), now goes far beyond single-target social engineering: it systematically weaponizes the trust developers place in routine coding tasks to spread malware across GitHub, GitLab, and Bitbucket.
Attackers pose as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of a technical assessment during a fake job interview. The delivery mechanism abuses Visual Studio Code's workspace task system: when the victim opens the project in VS Code and accepts the workspace's trust prompt, a malicious task executes without further interaction. In some cases, the task fetches a backdoor directly from a remote URL; in others, it launches a font or image file bundled in the repository that contains the malicious payload.
Once the developer's environment is compromised, the attack exhibits what Trend Micro calls 'worm-like behavior.' When the victim commits code to GitHub, the .vscode folder becomes hidden by default, turning the malicious code into an effective Trojan horse. Any developer who subsequently clones the repository and opens it in VS Code receives a trust prompt that, if accepted, repeats the cycle — creating a self-propagating chain of infections. 'Each compromised developer seeds new repositories with the infection vector, and each new victim becomes a potential distributor,' wrote Trend Micro senior threat researcher Lucas Silva.
The campaign targets cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. In March 2026 alone, Trend Micro identified more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool used by Void Dokkaebi. Repositories belonging to organizations such as data management company DataStax and Java application provider Neutralinojs were found to be carrying infection markers.
A particularly concerning aspect of the campaign is its use of blockchain infrastructure for payload staging — including Tron, Aptos, and Binance Smart Chain — which puts parts of its delivery infrastructure beyond traditional security takedowns. This makes it significantly harder for defenders to disrupt the attack chain compared to campaigns relying on conventional hosting providers.
The evolution of Contagious Interview follows the discovery in December 2025 of a similar attack that created a malicious npm package factory operating like a well-oiled machine. Joshua Allman, staff tactical response analyst at Huntress, noted that because attackers are targeting people actively looking for work, they are likely to have a more engaged target and can be incredibly precise with who they target. This can lead to a downstream impact of thousands if they successfully compromise a popular package or project.
For enterprise defense, Trend Micro recommends that organizations ensure all development projects use a lock file for dependency management, verify the integrity of updates, and maintain active endpoint protection. Job seekers are advised to think twice before installing anything presented by a prospective employer and to run any coding tasks in a separate virtual machine or container that does not have access to credentials, tokens, or secrets.