CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and then silently propagates malicious code through cloned repositories. The campaign, attributed to Void Dokkaebi (aka Famous Chollima), abuses legitimate development workflows by luring developers with fake interviews at crypto and AI firms, then delivering malware via malicious VS Code tasks, hidden .vscode folders, or bundled payloads in fonts/images. Once a developer commits the infected code to GitHub/GitLab/Bitbucket, the repository becomes a Trojan horse that spreads the infection to downstream contributors and forked projects, creating a worm-like chain reaction across the software supply chain. Attackers stage payloads on blockchain networks (Tron, Aptos, Binance Smart Chain) to evade takedowns and target developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure. In March 2026 alone, over 750 repositories, 500 VS Code task configurations, and 101 instances of commit-tampering tools were identified as infected, with markers found in repositories used by DataStax and Neutralinojs.

Timeline

  1. 22.04.2026 17:48 1 articles · 1h ago

    Void Dokkaebi’s Contagious Interview campaign escalates to self-propagating supply-chain compromise via VS Code and Git repositories

    North Korean actor Void Dokkaebi has operationalized the "Contagious Interview" tactic into a self-sustaining supply-chain attack vector. Malicious VS Code tasks or hidden .vscode folders in compromised repositories execute automatically when opened, then propagate the infection to subsequent clones via commit history. The attack chain begins with fake job interviews targeting developers, then escalates to CI/CD pipelines and production systems as victims integrate the infected code. Blockchain-based payload staging further complicates remediation.

    Show sources
    Open in new tab

Information Snippets

  • Void Dokkaebi uses fake job interviews targeting developers at crypto and AI firms to deliver malware via malicious Visual Studio Code tasks, hidden .vscode folders, or payloads embedded in fonts/images.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • Infected repositories propagate the malware downstream: when a victim commits the code to GitHub/GitLab/Bitbucket, the malicious .vscode folder triggers a trust prompt in subsequent clones, repeating the infection cycle.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • The campaign abuses VS Code’s workspace task system to execute malware automatically when a victim opens a project and accepts the workspace trust prompt, often fetching payloads directly from remote URLs.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • Payload staging occurs on blockchain networks (Tron, Aptos, Binance Smart Chain), complicating traditional security takedown efforts.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • In March 2026, Trend Micro identified 750+ infected code repositories, 500+ malicious VS Code task configurations, and 101 instances of the actor’s commit-tampering tool.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • Affected organizations include DataStax and Neutralinojs, with repositories carrying infection markers.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources

  • The campaign targets developers’ credentials, crypto wallet keys, CI/CD pipelines, and production infrastructure as primary objectives.

    First reported: 22.04.2026 17:48
    1 source, 1 article
    Show sources