Confirmed Void Dokkaebi infection on macOS — how do I figure out if VS Code Copilot agent was involved in the delivery?
Void Dokkaebi malware infection has been confirmed on macOS systems, with a user reporting suspicious commit tampering in code repositories potentially linked to VS Code Copilot agent activity. The malware campaign is known to use fake job interview lures and commit tampering techniques, primarily documented on Windows, but macOS-specific behaviors remain unclear. The user is investigating whether the VS Code Copilot agent was manipulated to insert malicious code or if tampering occurred independently at the OS level. No official macOS-specific indicators or commit tampering scripts have been identified yet. There is no confirmed exploit or patch information available. The investigation is ongoing with questions about forensic artifacts and logging related to VS Code Copilot and git operations on macOS.
AI Analysis
Technical Summary
Void Dokkaebi is a malware campaign that spreads via code repositories using social engineering lures such as fake job interviews. It has been confirmed to infect macOS, although prior technical details focused on Windows, including a batch script for commit tampering. A user report describes suspicious commits coinciding with VS Code Copilot agent sessions, raising questions about whether the agent was compromised or if tampering occurred at the OS level. The user seeks forensic guidance on detecting unauthorized git amend and force push operations and on locating VS Code Copilot logs on macOS. No official vendor advisories or patches are referenced.
Potential Impact
The malware can lead to unauthorized code injection into repositories, potentially compromising software supply chains and developer environments. The macOS infection vector and mechanisms remain partially unclear, complicating detection and response. There is no evidence of widespread exploitation or confirmed involvement of VS Code Copilot agent beyond user suspicion. The impact is medium severity due to potential codebase compromise and difficulty in attribution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fixes or mitigations are documented, defenders should monitor for unusual git commit amendments and force pushes, especially those not initiated by authorized users. Investigate VS Code logs for anomalous agent activity, although current logs may not capture detailed Copilot agent writes. Maintain vigilance on repository integrity and consider restricting automated agent permissions until more is known.
Confirmed Void Dokkaebi infection on macOS — how do I figure out if VS Code Copilot agent was involved in the delivery?
Description
Void Dokkaebi malware infection has been confirmed on macOS systems, with a user reporting suspicious commit tampering in code repositories potentially linked to VS Code Copilot agent activity. The malware campaign is known to use fake job interview lures and commit tampering techniques, primarily documented on Windows, but macOS-specific behaviors remain unclear. The user is investigating whether the VS Code Copilot agent was manipulated to insert malicious code or if tampering occurred independently at the OS level. No official macOS-specific indicators or commit tampering scripts have been identified yet. There is no confirmed exploit or patch information available. The investigation is ongoing with questions about forensic artifacts and logging related to VS Code Copilot and git operations on macOS.
Reddit Discussion
Found TronGrid C2 code in three of my repos recently. Matches Void Dokkaebi style pretty cleanly. Running on macOS, not Windows, which is where my questions start.
The Trend Micro report describes temp_auto_push.bat for commit tampering — Windows only. I haven't found it on my machine. Is there a known macOS equivalent for this campaign? Or does the commit spoofing work differently on Mac?
Second question and the one I'm more stuck on: every single infected commit happened during a VS Code Copilot agent session. The agent was doing legitimate multi-file edits across my workspace each time. So I'm wondering if:
a) the agent got prompt-injected via something in the workspace and wrote the malicious code itself, or b) the commit tampering happened at the OS level independently and the agent sessions are just coincidence
If it's (a), I'd expect to find traces somewhere in VS Code's logs or Copilot telemetry. Does VS Code log what the agent actually wrote during a session anywhere? On macOS I've been looking in ~/Library/Application Support/Code/logs/ but not finding anything obviously useful.
If it's (b), what forensic artifacts would tell me a git amend + force push happened without me doing it?
Any pointers appreciated — still piecing this together before I write it up.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Void Dokkaebi is a malware campaign that spreads via code repositories using social engineering lures such as fake job interviews. It has been confirmed to infect macOS, although prior technical details focused on Windows, including a batch script for commit tampering. A user report describes suspicious commits coinciding with VS Code Copilot agent sessions, raising questions about whether the agent was compromised or if tampering occurred at the OS level. The user seeks forensic guidance on detecting unauthorized git amend and force push operations and on locating VS Code Copilot logs on macOS. No official vendor advisories or patches are referenced.
Potential Impact
The malware can lead to unauthorized code injection into repositories, potentially compromising software supply chains and developer environments. The macOS infection vector and mechanisms remain partially unclear, complicating detection and response. There is no evidence of widespread exploitation or confirmed involvement of VS Code Copilot agent beyond user suspicion. The impact is medium severity due to potential codebase compromise and difficulty in attribution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fixes or mitigations are documented, defenders should monitor for unusual git commit amendments and force pushes, especially those not initiated by authorized users. Investigate VS Code logs for anomalous agent activity, although current logs may not capture detailed Copilot agent writes. Maintain vigilance on repository integrity and consider restricting automated agent permissions until more is known.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":25,"reasons":["external_link","non_newsworthy_keywords:how do i,vs","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":["how do i","vs"]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a248097e29bf47b50cea577
Added to database: 6/6/2026, 8:18:31 PM
Last enriched: 6/6/2026, 8:18:36 PM
Last updated: 6/7/2026, 4:10:49 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.