Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Essential information
- Published
- 21/04/2026 14:09
- Modified
- 21/04/2026 15:28
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- beavertail blockchain infrastructure dev#popper rat developer targeting fake job interview git history tampering invisibleferret north korea omnistealer ottercookie repository poisoning supply chain attack vs code exploitation worm propagation
- Tags
- 2026-04-21 beavertail blockchain infrastructure dev#popper rat developer-targeting fake job interview git history tampering invisibleferret north korea omnistealer ottercookie repository poisoning supply chain attack vs code exploitation worm propagation
- Related entities
- 10 indicators, 10 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware, 1 others
Description
Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...