Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Contents
Cyber Threats
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk.
Key takeaways
- Void Dokkaebi (aka Famous Chollima) has evolved beyond single-target social engineering into a self-propagating supply chain threat. A compromised developer’s repository becomes an infection vector for the next wave of victims, creating a worm-like propagation chain through the developer ecosystem.
- The campaign spreads through trusted development workflows, using malicious VS Code tasks and injected code that can execute during normal development activity. When compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed.
- Analysis in March 2026 identified more than 750 infected repositories, over 500 malicious VS …
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk.
Key takeaways
- Void Dokkaebi (aka Famous Chollima) has evolved beyond single-target social engineering into a self-propagating supply chain threat. A compromised developer’s repository becomes an infection vector for the next wave of victims, creating a worm-like propagation chain through the developer ecosystem.
- The campaign spreads through trusted development workflows, using malicious VS Code tasks and injected code that can execute during normal development activity. When compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed.
- Analysis in March 2026 identified more than 750 infected repositories, over 500 malicious VS …
IoC
166.88.4.2
23.27.202.27
136.0.9.8
23.27.20.143
83.168.68.219
23.27.120.142
154.91.0.196
85.239.62.36
198.105.127.210
23.27.202.27
136.0.9.8
23.27.20.143
83.168.68.219
23.27.120.142
154.91.0.196
85.239.62.36
198.105.127.210