TL;DR: Found malicious code (Void Dokkaebi campaign, TRON blockchain C2) spread across 3 of my repos on macOS. All infected commits happened during VS Code Copilot agent sessions. Still determining if that's coincidence or the delivery mechanism. Here's how to check your own projects.
What I found
Three files infected across three repos in one VS Code workspace:
-
Backend →
routes/user.js -
Frontend A →
tailwind.config.js -
Frontend B →
tailwind.config.js
All committed under my identity. All bundled inside meaningful multi-file commits. All pointing to api.trongrid.io (TRON blockchain) as C2, with eval() execution of decoded payloads.
This matches the Void Dokkaebi campaign documented by Trend Micro — a DPRK-attributed threat actor that specifically targets JS developers, injects code into config files, and spoofs commits under the victim's identity.
The part that isn't in the report
Every single infected commit was made during an active VS Code Copilot agent session.
The Trend Micro report's documented mechanism involves an attacker with remote access running a commit-tampering script (temp_auto_push.bat). That's possible here too, maybe using something similar for macOS — but the agent sessions raise other possibilities:
- Prompt injection: A malicious instruction embedded in a workspace file could have manipulated the agent into writing attacker-controlled code into other files during a legitimate task
- Extension context poisoning: A compromised VS Code extension could contribute malicious content into Copilot's context window invisibly
- Organic propagation: The agent, reading broadly across the workspace, may have spread already-injected code into other files incidentally
I can't currently rule any of these out. The agent session timing may also be pure coincidence — multi-file meaningful commits are exactly what agent sessions look like, which is precisely what makes them good camouflage regardless of mechanism.
Check for unknown running node process
ps aux | grep node
It should list only known process that you've started from a known file location.
Scan your projects
Check for long obfuscated code in places it shouldn't be,
- routes/*.js
- *.config.js/ts/mjs..etc eg., tailwind.config.js, vite.config.mjs.
_Detection scripts attached below. _
Especially check if:
- You use Copilot agent or another agentic coding tool across a multi-repo workspace
- You've ever cloned a repo from a recruiter or technical assessment
- You work with multiple JS projects open simultaneously, in VS Code.
If you find it
Stop committing from that machine, assume everything is touched.
- Revoke all tokens (GitHub, npm, SSH keys, cloud providers)
- Reset all secrets in that project.
- Notify your repo collaborators
- Inform all who have cloned / forked the infected code.
Still collecting data. Drop a comment if you've seen this — especially if you were also using agentic coding tools when it happened. That's the specific data point I'm trying to gather.
Detection scripts + full writeup in GitHub and Medium.
Top comments (0)