Malware spread across my 3 git repos during Copilot agent sessions — Void Dokkaebi campaign, TronGrid C2, and an open question about AI coding agents

couch potato — Sat, 27 Jun 2026 21:28:34 +0000

TL;DR: Found malicious code (Void Dokkaebi campaign, TRON blockchain C2) spread across 3 of my repos on macOS. All infected commits happened during VS Code Copilot agent sessions. Still determining if that's coincidence or the delivery mechanism. Here's how to check your own projects.

What I found

Three files infected across three repos in one VS Code workspace:

Backend → routes/user.js
Frontend A → tailwind.config.js
Frontend B → tailwind.config.js

All committed under my identity. All bundled inside meaningful multi-file commits. All pointing to api.trongrid.io (TRON blockchain) as C2, with eval() execution of decoded payloads.

This matches the Void Dokkaebi campaign documented by Trend Micro — a DPRK-attributed threat actor that specifically targets JS developers, injects code into config files, and spoofs commits under the victim's identity.

The part that isn't in the report

Every single infected commit was made during an active VS Code Copilot agent session.

The Trend Micro report's documented mechanism involves an attacker with remote access running a commit-tampering script (temp_auto_push.bat). That's possible here too, maybe using something similar for macOS — but the agent sessions raise other possibilities:

Prompt injection: A malicious instruction embedded in a workspace file could have manipulated the agent into writing attacker-controlled code into other files during a legitimate task
Extension context poisoning: A compromised VS Code extension could contribute malicious content into Copilot's context window invisibly
Organic propagation: The agent, reading broadly across the workspace, may have spread already-injected code into other files incidentally

I can't currently rule any of these out. The agent session timing may also be pure coincidence — multi-file meaningful commits are exactly what agent sessions look like, which is precisely what makes them good camouflage regardless of mechanism.

Check for unknown running node process

 ps aux | grep node

It should list only known process that you've started from a known file location.

Scan your projects

Check for long obfuscated code in places it shouldn't be,

routes/*.js
*.config.js/ts/mjs..etc eg., tailwind.config.js, vite.config.mjs.

_Detection scripts attached below. _

Especially check if:

You use Copilot agent or another agentic coding tool across a multi-repo workspace
You've ever cloned a repo from a recruiter or technical assessment
You work with multiple JS projects open simultaneously, in VS Code.

If you find it

Stop committing from that machine, assume everything is touched.

Revoke all tokens (GitHub, npm, SSH keys, cloud providers)
Reset all secrets in that project.
Notify your repo collaborators
- Inform all who have cloned / forked the infected code.

Still collecting data. Drop a comment if you've seen this — especially if you were also using agentic coding tools when it happened. That's the specific data point I'm trying to gather.
Detection scripts + full writeup in GitHub and Medium.

I found North Korean malware in my tailwind.config.js — here's the 5-minute scan to check your own machine

couch potato — Wed, 24 Jun 2026 15:47:28 +0000

tailwind.config.js and similar config files load and execute at build time in most modern frameworks — meaning code placed there runs with whatever environment access your build process has, often including CI/CD secrets. They are also the files reviewers' eyes slide right past, because "config file" doesn't read as "executable code" to most developers, even though it is.

Cross-posted from my Medium series on a real Void Dokkaebi-style infection. Full writeup and incident response details linked at the end. Scripts are on GitHub.

I found obfuscated JavaScript in my tailwind.config.js. Not in a dependency, not in node_modules — in the config file, committed with my github account. All commits found in three different repositories, under my own identity.

Sample infected file

I ran Malwarebytes on it, more than once, pointed directly at the file. Nothing. macOS's own built-in security didn't flag it either. It was built well enough that the tools whose entire job is catching this didn't.

A Void Dokkaebi-style infection (the DPRK-linked threat group also tracked as Famous Chollima / UNC5342) with a JSON-RPC beacon calling api.trongrid.io every 30 seconds, reading my environment variables, looking for crypto wallet credentials. I found three infected file locally, then six unexplained processes running in production.

This post is the "run this now" version. Full investigation, deobfuscation steps, and incident response timeline are in the linked post.

Run this right now (takes under 5 minutes)

# 1. Check for processes you don't recognize
ps aux | grep node

# 2. Scan for encoded payload blobs
grep -r --include="*.js" --include="*.ts" \
  -E "[A-Za-z0-9+/]{200,}={0,2}" \
  . --exclude-dir=node_modules -l

# 3. Check your config files for code that shouldn't be there
grep -rn "function\|eval\|btoa\|atob\|setInterval\|setTimeout" \
  tailwind.config.js next.config.js vite.config.js \
  webpack.config.js babel.config.js 2>/dev/null

If any of these return something you didn't put there: stop, don't push, don't deploy, kill the process, rotate your secrets. (And if you're killing processes that respawn, watch -n 5 'ps aux | grep node' to keep an eye on it.)

I still don't have a confirmed entry vector — that part of the investigation is ongoing.

I built out a full detection suite from this incident — process scanners, encoded-string detectors, a composite Void Dokkaebi pattern scan. All in the /scripts folder:

🔗 GitHub: github.com/Potat0-0/marauders-map

If you find this useful, a star helps other devs find it. If you've seen a similar infection — especially commits under your own identity, especially on macOS — I'd genuinely like to compare notes. I filed a Security StackExchange thread that's becoming a collection point for similar reports.

Full writeup, and incident response details -> Medium Post

DEV Community: couch potato