Void Dokkaebi (aka Famous Chollima), a North Korea-aligned threat actor, has evolved its fake job interview attack into a self-propagating supply chain threat. Developers are lured into cloning malicious repositories that contain weaponized VS Code workspace tasks (.vscode/tasks.json) which execute automatically on folder open. Once a developer is compromised, the attacker uses a commit-tampering tool (temp_auto_push.bat) to inject obfuscated JavaScript into the victim's own repositories, backdating commits to hide the tampering. The malware uses a blockchain-based payload staging system (Tron, Aptos, Binance Smart Chain) to deliver various RATs including DEV#POPPER. As of March 2026, over 750 infected repositories were identified, including those belonging to DataStax and Neutralinojs. Mitigations include using isolated VMs for interview code, adding .vscode/ to .gitignore, enforcing signed commits and branch protection, and monitoring for blockchain API traffic from developer workstations.
Sort: