Dokkaebi Hackers Target Developers with Fake Job Interviews and Malware
Key Takeaways A North Korea-linked hacking group, Void Dokkaebi (also known as Famous Chollima), is actively targeting software developers through elaborate fake job interviews. The attackers trick...
Key Takeaways
- A North Korea-linked hacking group, Void Dokkaebi (also known as Famous Chollima), is actively targeting software developers through elaborate fake job interviews.
- The attackers trick developers into cloning malicious code repositories that install malware, subsequently turning the victims’ own machines and projects into tools for further infection.
- The campaign leverages compromised repositories to spread malware in a worm-like fashion, bypassing traditional social engineering for subsequent victims.
- By March 2026, over 750 infected repositories and 500 malicious VS Code task configurations were identified, impacting popular open-source projects like DataStax and Neutralinojs.
- The primary payload is a sophisticated, cross-platform Remote Access Trojan (RAT) called DEVSPOPPER, designed to evade detection in CI/CD environments and cloud sandboxes.
North Korean Hackers Exploit Fake Job Interviews to Infect Developers, Propagate Malware Through Code Repositories
A sophisticated campaign orchestrated by the North Korea-backed hacking collective known as Void Dokkaebi (or Famous Chollima) is actively compromising software developers. The group employs an elaborate social engineering tactic, using fabricated job interviews to lure developers into installing malware, which then propagates through their existing code repositories. This insidious method transforms individual developer machines and projects into vectors for widespread infection, as detailed in a recent security analysis.
Table Of Content
The attack chain commences with a highly convincing ruse. Threat actors impersonate recruiters from prominent cryptocurrency and artificial intelligence companies, initiating contact with developers on professional networking platforms. During the course of a seemingly legitimate interview, the target is instructed to clone a specific code repository from platforms such as GitHub, GitLab, or Bitbucket, ostensibly for a “technical assessment.”
These repositories, while appearing genuine, contain hidden malicious code designed to execute automatically upon the developer opening the project folder. This initial compromise is particularly dangerous because it leverages the developer’s trust in a professional context, turning a routine technical exercise into a critical security incident.
The Worm-like Propagation Mechanism
What sets this campaign apart, as identified by Trend Micro analysts, is its self-propagating nature. Void Dokkaebi does not merely aim for a single developer compromise. Instead, the attackers exploit the initial victim’s machine and their existing repositories to infect subsequent developers, establishing a worm-like chain that can spread across organizations without requiring additional social engineering efforts for each new target.
By March 2026, the scale of this operation had grown substantially. Trend Micro Research’s analysis uncovered over 750 infected repositories, more than 500 malicious Visual Studio Code task configurations, and 101 instances of a specialized commit tampering tool across various public code hosting platforms. Notably, repositories associated with well-known organizations like DataStax and Neutralinojs were found to contain infection markers, indicating the campaign’s reach into popular open-source projects.
Once a compromised developer pushes code to GitHub or integrates components elsewhere, the malicious files travel with these updates. They lie dormant, awaiting the next developer to open the project and inadvertently trigger the attack, thereby perpetuating a cycle of infection that expands with every new commit.
Inside the Infection Chain
The Void Dokkaebi campaign employs two primary, complementary infection methods:
Visual Studio Code Workspace Abuse
The first method exploits Visual Studio Code’s workspace files, specifically the hidden .vscode/tasks.json file. This file is configured to execute automatically when a developer opens the project folder. Upon accepting the workspace trust prompt, the malicious task runs without further user interaction. It either fetches a backdoor from a remote URL or launches a disguised payload file already present within the repository.

Direct Code Injection and Git Tampering
The second method is more direct. After establishing remote access to a developer’s machine, the attackers inject obfuscated JavaScript into the victim’s source files within their own repositories. This injected code is pushed to the far right of the screen using extensive whitespace, making it difficult to detect during quick code reviews. A batch script named temp_auto_push.bat is then used to rewrite Git commit history. It copies the original author name, timestamp, and message before force-pushing the tampered version, making the malicious commit appear legitimate and blend seamlessly into the project history.

The payload delivered by this campaign is a variant of the DEVSPOPPER remote access trojan (RAT). This cross-platform, Node.js-based tool establishes communication with a command-and-control (C2) server via WebSocket and employs HTTP for data exfiltration. A notable feature of DEVSPOPPER is its multi-operator session system, which permits multiple threat actors to simultaneously operate on a single compromised machine. Crucially, the RAT is designed to detect and avoid execution in CI/CD environments and cloud sandboxes, ensuring it runs exclusively on genuine developer workstations, thereby evading automated pipeline scanning tools.
What You Should Do
- Isolate Interview Code: Always execute any code provided during job interviews in isolated or disposable virtual environments (e.g., VMs, sandboxes). Never run such code directly on personal or production machines.
- Configure Gitignore: Add
.vscode/to your.gitignorefiles and enforce this policy across all organizational repositories. This prevents the passive spread of malicious Visual Studio Code configurations. - Enforce Signed Commits: Implement mandatory GPG- or SSH-signed commits with branch protection and required pull requests for all repositories. This measure can effectively thwart the commit-tampering tool used by Void Dokkaebi.
- Audit Source Code: Regularly audit source code for specific infection markers such as
global['!']andglobal['_V'], and check for the presence of thetemp_auto_push.batscript. - Monitor Outbound Connections: Monitor developer workstations for unusual outbound connections, particularly to blockchain API endpoints like
api.trongrid.ioand Binance Smart Chain RPC endpoints, which may indicate C2 communication. - Prioritize Endpoint Detection: Given that the DEVSPOPPER RAT is designed to bypass CI/CD environments, robust endpoint-level detection and response (EDR) solutions on developer workstations are critical for identifying and mitigating infections.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.