Void Dokkaebi, a North Korea-aligned threat group also known as Famous Chollima, has evolved its tactics from targeted social engineering to a self-propagating supply chain threat. The campaign targets software developers through fake job interview lures, tricking them into cloning and executing malicious code repositories. Once a developer's environment is compromised, the threat actor weaponizes the victim's own repositories, turning legitimate code contributions into infection vectors for downstream contributors and organizations.
The attack utilizes two primary propagation methods: malicious VS Code workspace tasks that execute on folder opening and the active injection of obfuscated JavaScript into source files. To conceal their activity, the attackers use tools to tamper with Git history, backdating commits to blend with legitimate work. This campaign leverages blockchain infrastructure for payload delivery and has successfully contaminated hundreds of repositories, highlighting a significant shift toward exploiting developer trust and common workflow habits.
Top comments (0)