Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
North Korea-linked threat actor Void Dokkaebi is using fake job interviews to trick developers into downloading malware from compromised code repositories, creating a self-propagating supply chain attack.
Trend Micro researchers have detailed a sophisticated campaign by the North Korea-aligned threat actor Void Dokkaebi (aka Famous Chollima) that uses fake job interview lures to trick software developers into downloading malware from compromised code repositories. The attack leverages trusted development workflows and open-source projects to propagate, turning a single developer compromise into a broader supply-chain risk. The campaign targets organizational codebases, potentially affecting downstream consumers of the infected repositories.
The initial infection begins with a fabricated job interview where the victim is asked to clone a code repository and review or run it as part of a technical assessment. The repositories are hosted on GitHub, GitLab, or Bitbucket, and appear to be legitimate coding projects. The delivery mechanism abuses VS Code's workspace task system, a technique that has been independently documented by Microsoft and other security researchers.
The attack works by including a `.vscode/tasks.json` file in the repository with a task configured to run automatically when the workspace is opened. When the victim opens the project in VS Code and accepts the workspace's trust prompt, the task executes without further interaction. In some cases, the task fetches the backdoor directly from a remote URL; in others, it launches a font or image file bundled in the repository that contains the malicious payload.
Once a developer is compromised, the worm-like behavior begins when the victim commits code to GitHub. The malicious `.vscode/tasks.json` is committed along with the project, and any developer who subsequently clones that repository and opens it in VS Code receives the same trust prompt. This creates a self-propagating chain where each compromised developer seeds new repositories with the infection vector.
In parallel, researchers observed a second propagation mechanism where already-compromised users had multistage obfuscated JavaScript code added to source code files in their repositories. The threat actor targets various configuration files and common entry points, adding obfuscated JavaScript that functions as a multistage loader. Whitespace is often added to push this additional code to the right edge of the screen, making it invisible during casual code review.
Analysis in March 2026 identified more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 instances of the commit tampering tool. Repositories belonging to organizations such as DataStax and Neutralinojs were also identified carrying infection markers. The campaign uses blockchain infrastructure for payload staging, including Tron, Aptos, and Binance Smart Chain, which puts parts of its delivery infrastructure beyond traditional takedowns.
Void Dokkaebi has evolved beyond single-target social engineering into a self-propagating supply chain threat. The compromised developer's repository becomes an infection vector for the next wave of victims, creating a worm-like propagation chain through the developer ecosystem. Organizations are advised to review their VS Code trust settings, audit repositories for suspicious `.vscode` configurations, and educate developers about the risks of accepting workspace trust prompts from untrusted sources.