New Malware Threat Targets Developer Supply Chain Through Fake Job Interviews",

Post Views: 6

Developer Supply Chain Compromised by Fake Job Interview Malware Campaign

A North Korea-linked threat actor, known as Void Dokkaei, has been exploiting fake job interview scenarios to target software developers, compromising their systems and potentially jeopardizing entire organizations’ security.

According to Trend Micro research, the campaign began in early 2026 and has already affected numerous high-profile targets, including DataStax and Neutralinojs.

The threat actor, also referred to as Famous Chollima, poses as recruiters from reputable firms specializing in cryptocurrency and artificial intelligence. They lure unsuspecting developers into participating in fabricated technical assessments, which involve cloning and executing code repositories.

The repositories often contain hidden files and tampered code that, when executed, compromise the system and allow the malware to spread.

Once a developer falls victim to the attack, their own repositories can become sources of infection for others. The malware propagates like a worm, spreading from one compromised system to another, often without the knowledge of its existence.

Malware Propagation

The primary vector of infection involves the use of Visual Studio Code, which is commonly used by developers to manage repositories.

When a developer clones a repository and opens it in Visual Studio Code, they are presented with a trust prompt, which they often accept without close scrutiny. This prompt enables the execution of malicious code contained within the repository.

The risk is exacerbated by the fact that the `.vscode` folder is hidden by default in most file explorers and is frequently excluded from `gitignore` files.

In addition to the Visual Studio Code vulnerability, Void Dokkaei employs a secondary method of injecting heavily obfuscated JavaScript into configuration files. This code is designed to evade detection and is pushed to the right edge of the screen, making it challenging to spot during code reviews.

Research conducted by Trend Micro revealed that over 750 unique repositories carried the obfuscated JavaScript loader, while 392 malicious `tasks.json` files were identified across various platforms.

The malware payload delivered via this infrastructure includes a variant of the DEV#POPPER remote access trojan, which supports simultaneous multi-operator sessions and communicates over WebSocket.

This campaign poses a significant risk to software supply chains and developer workflows, particularly due to its ability to evade automated pipeline scans. As a result, organizations must remain vigilant and take proactive measures to mitigate potential threats.