Void Dokkaebi (also known as Famous Chollima), a North Korea-aligned threat actor, is targeting software developers through a sophisticated campaign involving fake job interviews. The group lures developers into cloning malicious repositories that utilize Visual Studio Code's workspace task system to execute malware. This operation has evolved from targeted social engineering into a self-propagating supply chain threat, as compromised developers unknowingly commit malicious configurations and obfuscated JavaScript back into organizational and open-source repositories.
The campaign features advanced evasion techniques, including commit history tampering to hide malicious injections and the use of blockchain infrastructure (Tron, Aptos, and Binance Smart Chain) for payload staging. The primary payload is a variant of the DEV#POPPER remote access trojan (RAT), which enables multi-operator session management and specifically avoids CI/CD environments to evade detection. Analysts have identified over 750 infected repositories, highlighting a significant risk to the broader developer ecosystem and software supply chains.
Top comments (0)