A notorious hacking group linked to North Korea, identified as Void Dokkaebi, also known as Famous Chollima, is executing a sophisticated campaign aimed at software developers. The group deceives developers through fake job interviews, leading them to install malware via compromised code repositories.
Deceptive Tactics Employed by Hackers
The campaign begins with hackers masquerading as recruiters from reputable cryptocurrency and artificial intelligence firms. They engage with developers on professional networking platforms, inviting them to participate in a fabricated coding assessment. During these mock interviews, targets are instructed to clone code repositories from platforms like GitHub, GitLab, or Bitbucket under the guise of a technical evaluation.
These repositories are cleverly disguised to appear legitimate but contain hidden malicious code that activates as soon as the developer opens the project folder. This initial infection sets off a chain reaction, as the compromised developer’s machine and repositories are used to infect others, spreading the malware further without additional social engineering efforts.
Impact and Scale of the Campaign
By March 2026, the scale of this operation had significantly expanded. Trend Micro Research reported over 750 infected repositories, more than 500 malicious Visual Studio Code task configurations, and 101 instances of a commit-tampering tool on public code hosting platforms. Organizations such as DataStax and Neutralinojs were among those affected, indicating the campaign’s reach into popular open-source projects.
As developers push code to platforms like GitHub or reuse components, the malicious files travel with it, waiting for the next developer to trigger the infection by opening the project.
Technical Details of the Malware Attack
The attack relies on two primary techniques: manipulating Visual Studio Code workspace files and injecting obfuscated JavaScript into source files. The former involves using a hidden file, .vscode/tasks.json, which executes malicious tasks when a developer opens the project folder and accepts the workspace trust prompt.
Once remote access is gained to a developer’s machine, obfuscated JavaScript is inserted into source files, hidden by whitespace to evade quick reviews. A batch script named temp_auto_push.bat alters the git commit history, making tampered commits appear legitimate.
The payload, a variant of the DEVSPOPPER remote access trojan, connects to command-and-control servers via WebSocket, enabling multiple operators to control a single compromised machine. The RAT avoids detection by not running in CI/CD environments or cloud sandboxes.
Protective Measures for Developers
Developers and organizations must adopt preventive measures to minimize exposure. Always execute interview code in isolated or temporary virtual environments and never on personal or production machines. Including .vscode/ in .gitignore files across all repositories can prevent passive spread. Enforce GPG- or SSH-signed commits with branch protection and mandatory pull requests to thwart commit tampering.
Conduct audits for infection markers like global′!′′!′ and global’_V’, and check for temp_auto_push.bat. Monitoring outbound connections to blockchain API endpoints from developer workstations is crucial, as endpoint-level detection is vital given the RAT’s ability to evade automated pipeline scanning.
Follow us on Google News, LinkedIn, and X for more updates. Set CSN as your preferred source on Google for instant news.
