Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...
AI Analysis
Technical Summary
Void Dokkaebi (Famous Chollima) has evolved into a self-propagating supply chain threat targeting software developers by leveraging fake job interview schemes to lure victims into cloning malicious repositories. The infection vector includes malicious Visual Studio Code task configurations that execute automatically upon workspace opening and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal the modifications. This enables worm-like propagation where each compromised developer seeds new infected repositories. The campaign has infected over 750 repositories as of March 2026 and has impacted organizations such as DataStax and Neutralinojs. Payloads are delivered through blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying malware such as DEV#POPPER RAT and other tools aimed at cryptocurrency theft and data exfiltration. The threat is attributed to the WageMole adversary group aligned with North Korea. No patch or official remediation is documented.
Potential Impact
The campaign compromises developer machines and software supply chains by injecting malicious code into repositories, enabling widespread propagation and infection of downstream users. It results in unauthorized execution of malware that can steal cryptocurrency and sensitive data. The tampering with Git history complicates detection and remediation. The infection has reached notable organizations, indicating a significant risk to software development environments and supply chain integrity. No known exploits in the wild beyond this campaign are reported, and no official fixes are documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should exercise caution with unsolicited job interview requests and verify the authenticity of code repositories before cloning. Developers should audit VS Code task configurations and monitor for unauthorized modifications in source code and Git history. Employing repository integrity checks and restricting automatic task executions in development environments may help reduce risk. Since no official patch or fix is available, heightened vigilance and manual detection are critical.
Indicators of Compromise
- ip: 166.88.4.2
- ip: 85.239.62.36
- ip: 23.27.20.143
- ip: 23.27.202.27
- ip: 23.27.120.142
- ip: 154.91.0.196
- ip: 198.105.127.210
- ip: 83.168.68.219
- hash: a12957e7627cb19fba2a4b155f7258b7
- hash: 78be1ea752622c75fd5c636abc2e6e7a51484323
- hash: 23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8
- hash: 834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Description
Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Void Dokkaebi (Famous Chollima) has evolved into a self-propagating supply chain threat targeting software developers by leveraging fake job interview schemes to lure victims into cloning malicious repositories. The infection vector includes malicious Visual Studio Code task configurations that execute automatically upon workspace opening and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal the modifications. This enables worm-like propagation where each compromised developer seeds new infected repositories. The campaign has infected over 750 repositories as of March 2026 and has impacted organizations such as DataStax and Neutralinojs. Payloads are delivered through blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying malware such as DEV#POPPER RAT and other tools aimed at cryptocurrency theft and data exfiltration. The threat is attributed to the WageMole adversary group aligned with North Korea. No patch or official remediation is documented.
Potential Impact
The campaign compromises developer machines and software supply chains by injecting malicious code into repositories, enabling widespread propagation and infection of downstream users. It results in unauthorized execution of malware that can steal cryptocurrency and sensitive data. The tampering with Git history complicates detection and remediation. The infection has reached notable organizations, indicating a significant risk to software development environments and supply chain integrity. No known exploits in the wild beyond this campaign are reported, and no official fixes are documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should exercise caution with unsolicited job interview requests and verify the authenticity of code repositories before cloning. Developers should audit VS Code task configurations and monitor for unauthorized modifications in source code and Git history. Employing repository integrity checks and restricting automatic task executions in development environments may help reduce risk. Since no official patch or fix is available, heightened vigilance and manual detection are critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html"]
- Adversary
- WageMole
- Pulse Id
- 69e7690744c08ddc410e543f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip166.88.4.2 | — | |
ip85.239.62.36 | — | |
ip23.27.20.143 | — | |
ip23.27.202.27 | — | |
ip23.27.120.142 | — | |
ip154.91.0.196 | — | |
ip198.105.127.210 | — | |
ip83.168.68.219 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha12957e7627cb19fba2a4b155f7258b7 | — | |
hash78be1ea752622c75fd5c636abc2e6e7a51484323 | — | |
hash23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8 | — | |
hash834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412 | — |
Threat ID: 69e7983919fe3cd2cddfb206
Added to database: 4/21/2026, 3:31:05 PM
Last enriched: 4/21/2026, 3:46:25 PM
Last updated: 6/5/2026, 5:49:09 PM
Views: 151
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.