Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Void Dokkaebi, a North Korea-aligned threat actor, uses fake job interview lures to trick software developers into cloning malicious code repositories. The malware propagates through infected VS Code task configurations that run automatically and by injecting obfuscated JavaScript into source code with Git history tampering to hide changes. This creates a worm-like supply chain attack, with over 750 infected repositories identified as of March 2026, impacting organizations such as DataStax and Neutralinojs. Payloads are delivered via blockchain infrastructures like Tron, Aptos, and Binance Smart Chain, deploying malware variants including DEV#POPPER RAT to steal cryptocurrency and other data. No official patch or remediation guidance is provided in the available data.
AI Analysis
Technical Summary
Void Dokkaebi (Famous Chollima) has evolved into a self-propagating supply chain threat targeting software developers by leveraging fake job interview schemes to lure victims into cloning malicious repositories. The infection vector includes malicious Visual Studio Code task configurations that execute automatically upon workspace opening and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal the modifications. This enables worm-like propagation where each compromised developer seeds new infected repositories. The campaign has infected over 750 repositories as of March 2026 and has impacted organizations such as DataStax and Neutralinojs. Payloads are delivered through blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying malware such as DEV#POPPER RAT and other tools aimed at cryptocurrency theft and data exfiltration. The threat is attributed to the WageMole adversary group aligned with North Korea. No patch or official remediation is documented.
Potential Impact
The campaign compromises developer machines and software supply chains by injecting malicious code into repositories, enabling widespread propagation and infection of downstream users. It results in unauthorized execution of malware that can steal cryptocurrency and sensitive data. The tampering with Git history complicates detection and remediation. The infection has reached notable organizations, indicating a significant risk to software development environments and supply chain integrity. No known exploits in the wild beyond this campaign are reported, and no official fixes are documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should exercise caution with unsolicited job interview requests and verify the authenticity of code repositories before cloning. Developers should audit VS Code task configurations and monitor for unauthorized modifications in source code and Git history. Employing repository integrity checks and restricting automatic task executions in development environments may help reduce risk. Since no official patch or fix is available, heightened vigilance and manual detection are critical.
Indicators of Compromise
- ip: 166.88.4.2
- ip: 85.239.62.36
- ip: 23.27.20.143
- ip: 23.27.202.27
- ip: 23.27.120.142
- ip: 154.91.0.196
- ip: 198.105.127.210
- ip: 83.168.68.219
- hash: a12957e7627cb19fba2a4b155f7258b7
- hash: 78be1ea752622c75fd5c636abc2e6e7a51484323
- hash: 23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8
- hash: 834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Description
Void Dokkaebi, a North Korea-aligned threat actor, uses fake job interview lures to trick software developers into cloning malicious code repositories. The malware propagates through infected VS Code task configurations that run automatically and by injecting obfuscated JavaScript into source code with Git history tampering to hide changes. This creates a worm-like supply chain attack, with over 750 infected repositories identified as of March 2026, impacting organizations such as DataStax and Neutralinojs. Payloads are delivered via blockchain infrastructures like Tron, Aptos, and Binance Smart Chain, deploying malware variants including DEV#POPPER RAT to steal cryptocurrency and other data. No official patch or remediation guidance is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Void Dokkaebi (Famous Chollima) has evolved into a self-propagating supply chain threat targeting software developers by leveraging fake job interview schemes to lure victims into cloning malicious repositories. The infection vector includes malicious Visual Studio Code task configurations that execute automatically upon workspace opening and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal the modifications. This enables worm-like propagation where each compromised developer seeds new infected repositories. The campaign has infected over 750 repositories as of March 2026 and has impacted organizations such as DataStax and Neutralinojs. Payloads are delivered through blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying malware such as DEV#POPPER RAT and other tools aimed at cryptocurrency theft and data exfiltration. The threat is attributed to the WageMole adversary group aligned with North Korea. No patch or official remediation is documented.
Potential Impact
The campaign compromises developer machines and software supply chains by injecting malicious code into repositories, enabling widespread propagation and infection of downstream users. It results in unauthorized execution of malware that can steal cryptocurrency and sensitive data. The tampering with Git history complicates detection and remediation. The infection has reached notable organizations, indicating a significant risk to software development environments and supply chain integrity. No known exploits in the wild beyond this campaign are reported, and no official fixes are documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should exercise caution with unsolicited job interview requests and verify the authenticity of code repositories before cloning. Developers should audit VS Code task configurations and monitor for unauthorized modifications in source code and Git history. Employing repository integrity checks and restricting automatic task executions in development environments may help reduce risk. Since no official patch or fix is available, heightened vigilance and manual detection are critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html"]
- Adversary
- WageMole
- Pulse Id
- 69e7690744c08ddc410e543f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip166.88.4.2 | — | |
ip85.239.62.36 | — | |
ip23.27.20.143 | — | |
ip23.27.202.27 | — | |
ip23.27.120.142 | — | |
ip154.91.0.196 | — | |
ip198.105.127.210 | — | |
ip83.168.68.219 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha12957e7627cb19fba2a4b155f7258b7 | — | |
hash78be1ea752622c75fd5c636abc2e6e7a51484323 | — | |
hash23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8 | — | |
hash834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412 | — |
Threat ID: 69e7983919fe3cd2cddfb206
Added to database: 4/21/2026, 3:31:05 PM
Last enriched: 4/21/2026, 3:46:25 PM
Last updated: 4/21/2026, 7:48:16 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.