North Korean threat actor Void Dokkaebi has evolved its โContagious Interviewโ job-offer lure into a self-propagating supply-chain attack that infects developer repositories to spread remote access trojans and steal credentials. The campaign abuses Visual Studio Code workspace tasks and commit tampering, uses blockchain networks for payload staging, and can cascade infections across forks and downstream projects. #VoidDokkaebi #VSCode
Keypoints
- Void Dokkaebi lures developers with fake job interviews to clone and run malicious repositories.
- Malicious VS Code workspace tasks and injected files execute payloads when workspace trust is accepted.
- Infected commits hide .vscode folders and propagate infections to forks, contributors, and downstream projects.
- Operators stage payloads on blockchains like Tron, Aptos, and Binance Smart Chain to hinder takedowns.
- Defenses include using dependency lock files, running code in isolated VMs/containers, enforcing code-signing and Workspace Trust, monitoring commits, and limiting privileges.