DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'

North Korean threat actors behind the 'Contagious Interview' campaign have evolved their fake job offer attacks into a self-propagating supply chain threat. The group, tracked as Void Dokkaebi, lures developers into cloning malicious repositories during fake technical interviews. Malicious VS Code workspace tasks execute automatically when the project is opened, compromising the developer's environment. When the victim commits the infected code to GitHub, GitLab, or Bitbucket, the hidden .vscode folder spreads the infection to anyone who subsequently clones the repo — creating a worm-like propagation chain. In March alone, over 750 infected repositories and 500 malicious VS Code task configurations were identified. The campaign also uses blockchain infrastructure (Tron, Aptos, Binance Smart Chain) for payload staging, making takedowns harder. Developers are advised to treat external repositories as untrusted, run coding tasks in isolated VMs, and enforce code-signing validation.