North Korea-Linked Void Dokkaebi Runs Self-Propagating Supply Chain Attack Targeting Developers via Fake Job Interviews

North Korea-linked state-sponsored threat group Void Dokkaebi — also known as Famous Chollima — has leveraged fake job interviews to compromise developers in a self-spreading supply chain intrusion campaign, GBHackers News reports. Attacks begin with the impersonation of cryptocurrency or AI firm recruiters.

An analysis by Trend Micro researchers showed attackers lure developers into downloading seemingly legitimate GitHub or GitLab repositories to complete a coding exam. Opening the repositories with illicit Visual Studio Code configurations triggers automated task execution and malware infection. With the compromised code committed back into a repository — enabling the malicious .vscode configuration — subsequent cloning turns every additional victim into a distributor of the malware.

Void Dokkaebi was also observed conducting direct code injection, concealed using a git-history-rewriting commit tampering tool. Multiple blockchain networks were tapped to host and deploy several payloads, including the DEV#POPPER remote access trojan.

The campaign compromised over 750 repositories, planted more than 500 malicious VS Code task configurations and injected the commit-tampering tool across 101 repositories. The incident shows a new threat vector in supply chain security — propagation via VS Code workspace configurations — has reached systematic operational maturity in the developer ecosystem.

Key Takeaways:
1. North Korea-linked Void Dokkaebi (Famous Chollima) targets developers via fake job interviews.
2. Per Trend Micro, the attack spreads through VS Code workspace configurations.
3. Over 750 repositories compromised; 500+ malicious VS Code task configurations.
4. Commit-tampering tool injected into 101 repos; DEV#POPPER RAT delivered via blockchain hosts.
5. New vector: developer machines compromised under the guise of a GitHub/GitLab coding exam.