VOID Dokkaebi, also tracked as Famous Chollima and described as a North Korea-aligned intrusion set, has evolved from targeting single developers to a worm-like supply-chain threat that uses compromised repositories as infection vectors.
Our analysis shows the campaign spreads through trusted development workflows, with malicious VS Code tasks and injected code that can execute during normal development activity, and when compromised code reaches organisational or popular open-source repositories, contributors, forks and downstream projects can be exposed.
In March 2026 TrendAI™ Research identified more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 instances of the commit tampering tool, with infections observed in DataStax and Neutralinojs repositories. The attackers also use blockchain infrastructure for payload staging, including Tron, Aptos, and Binance Smart Chain, enabling dynamic delivery of payloads via immutable blockchain transactions.
The malware variant DEV#POPPER RAT is delivered through this infrastructure, featuring a cross-platform Node[.]js RAT that communicates via WebSocket and HTTP, and can persist by injecting versioned code into developer tools and creating a hidden .node_modules folder.
According to TrendAI™ Research, the campaign’s scale and its dual propagation flows—passive VS Code workflow abuse and active repo tampering—underscore a self-sustaining threat that extends beyond an initial target to organisations, open-source projects, and the wider developer ecosystem.