A North Korea-linked threat actor known as Void Dokkaebi, also tracked as Famous Chollima, is running an active malware campaign that turns fake job interviews into a self-spreading attack on software developers. The group poses as recruiters from cryptocurrency and AI companies, luring developers into cloning and executing code repositories as part of fabricated technical assessments.
Fake Interviews Used To Target Developers
The campaign primarily targets developers with access to cryptocurrency wallet credentials, signing keys and CI/CD pipeline infrastructure, making them high-value entry points into wider organisational networks. Once a developer takes the bait, the attack does not stop with the initial compromise. Their own repositories can become a source of infection for the next wave of targets.
Trend Micro researchers who analysed the campaign said the propagation model resembles a worm rather than a conventional targeted attack. Each compromised developer can unknowingly seed new repositories with malware, exposing other developers who later clone those repositories to the same risk.
The initial infection begins when a job applicant clones a repository hosted on GitHub, GitLab or Bitbucket and opens it in Visual Studio Code. The repository contains a hidden .vscode/tasks.json file that runs automatically when the workspace opens.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Hidden Files And Tampered Code Spread The Infection
If the developer accepts the Visual Studio Code workspace trust prompt, a routine action many developers may perform without close scrutiny, the malicious code runs immediately without further interaction. The risk is heightened because the .vscode folder is hidden by default in most file explorers and is frequently excluded from .gitignore files.
When the compromised developer later commits their work to GitHub, the malicious configuration file is included. Any developer who subsequently clones that repository faces the same trust prompt and the same risk, allowing the infection to spread passively without further action by the attackers.
Void Dokkaebi also uses a second, more aggressive method. On compromised machines, the threat actor remotely injects heavily obfuscated JavaScript into configuration files such as postcss.config.mjs, tailwind.config.js and next.config.mjs. The injected code is pushed to the right edge of the screen using whitespace, making it difficult to spot during casual code review.
Trend Micro Finds Hundreds Of Malicious Repositories
Trend Micro research found that researchers scanning public repositories in late March 2026 identified more than 750 unique repositories carrying the obfuscated JavaScript loader, 392 malicious tasks.json downloader files and the commit-tampering tool in at least 101 repositories.
Real-world organisational victims included DataStax and Neutralinojs, where the attack went undetected for three days before being discovered and remediated.
The payload delivered through this infrastructure includes a variant of the DEV#POPPER remote access trojan, a cross-platform Node.js RAT that supports simultaneous multi-operator sessions, communicates over WebSocket and specifically detects and avoids CI/CD environments. This allows automated pipeline scans to miss the malware entirely, making the campaign a significant risk for software supply chains and developer workflows.
