DPRK Fake Job Scams Self-Propagate in 'Contagious Interview' describes a worm-like infection vector that uses compromised developer projects to spread remote access Trojans and other malware through the software supply chain, with a compromised developer’s repository acting as the initial conduit. The latest campaign, tracked by Trend Micro as Void Dokkaebi, is carried out by a North Korean actor and targets developers with fake job lures offering access to cryptocurrency wallets, signing keys, and CI/CD pipelines.
Attackers use malicious VS Code tasks and injected code that can execute during normal development, enabling propagation when compromised code reaches organisational or popular open-source repositories, prompting forks and downstream projects to be exposed. The campaign employs blockchain infrastructure for payload staging, including Tron, Aptos, and Binance Smart Chain, complicating takedown efforts.
Trend Micro notes that in March more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of a commit-tampering tool were identified, with infected repositories linked to organisations such as DataStax and Neutralinojs. Researchers highlight a worm-like behaviour where each compromised developer seeds new repositories, creating a self-propagating chain of infections, according to Elizabeth Montalbano.