The Trojan Interview: How Void Dokkaebi Exploits Developer Trust to Fuel Supply Chain Attacks
In the high-stakes world of software engineering, a job offer is often the ultimate motivator. However, the threat actor known as Void Dokkaebi (also identified as Famous Chollima) is turning this professional aspiration into a sophisticated delivery mechanism for malware. By weaponizing the very tools developers rely on daily, they have shifted from simple social engineering to executing complex, worm-like supply chain compromises.
The campaign’s entry point is deceptively simple: attackers pose as recruiters from high-growth sectors like Artificial Intelligence or Cryptocurrency. They lure talented engineers into a technical assessment, directing them to clone specific repositories from platforms like GitHub or GitLab. What appears to be a routine coding test is, in reality, a carefully crafted trap.
The technical payload is hidden within the .vscode/tasks.json configuration file. When a developer opens the project and grants “workspace trust”—a standard procedure for many—the IDE automatically triggers a background task. This task serves as a downloader, fetching and executing malicious code under the guise of legitimate development automation. Recent forensic analysis confirms that this represents a significant evolution in the group’s tactics, moving beyond static phishing toward an automated, self-propagating ecosystem.
Weaponizing the Workflow: A Worm-Like Propagation Model
What makes Void Dokkaebi particularly dangerous is the “wormable” nature of their attack. The infection does not end with the initial victim; instead, it leverages the fundamental mechanics of Version Control Systems (VCS). Because the .vscode directory is often omitted from .gitignore files, the malicious configuration is inadvertently committed back to the shared repository.
This creates a chain reaction: once an infected developer pushes code to a project, any teammate who subsequently clones that repository becomes a potential secondary victim. The malware effectively “hitchhikes” on the trust established between collaborators.

Beyond configuration hijacking, the group employs a more aggressive “active injection” method. Once a machine is compromised, attackers inject obfuscated JavaScript into commonly overlooked configuration files, such as eslint or tailwind.config.js. To ensure these changes remain invisible to human reviewers, they utilize sophisticated Git history tampering. By rewriting the Git log, they can forge timestamps and authorship, making a malicious commit look like a routine update from a legitimate contributor.
The Scale of Compromise and Blockchain Persistence
The technical precision of this campaign is evident in its ability to bypass modern DevOps security. By utilizing the --no-verify flag, attackers can bypass pre-commit hooks and CI/CD security gates that might otherwise flag suspicious code. They then force-push the amended history to the remote branch, effectively “cleaning” the crime scene while leaving the payload intact.

temp_auto_push.bat script used to automate the tampering process (Source: Trend Micro).The impact is widespread. As of late March 2026, research has uncovered a massive footprint:
- 750+ infected repositories identified.
- 500+ unique malicious VS Code task configurations.
- 101+ repositories containing specialized commit-tampering toolsets.
The breach of repositories linked to established entities like DataStax and Neutralinojs demonstrates that even high-profile open-source and enterprise ecosystems are vulnerable. In several instances, a single compromised upstream project exposed thousands of downstream users to the threat.

Perhaps most innovative is the group’s use of decentralized infrastructure. Void Dokkaebi utilizes blockchain networks—specifically Tron, Aptos, and Binance Smart Chain—to host malware payloads. By embedding encrypted payloads within blockchain transactions, they create an immutable and decentralized Command and Control (C2) architecture. This makes traditional domain takedowns impossible, as the “servers” are essentially part of a global, peer-to-peer ledger.
This method is utilized by variants of the DEV#POPPER remote access trojan (RAT), which pulls, decrypts, and executes payloads directly from the chain, allowing for real-time updates without ever touching the original source code.
Defense-in-Depth: Protecting the Developer Workflow
Void Dokkaebi’s success relies on the exploitation of trust in our most fundamental developer workflows. To defend against this highly specialized threat, security teams should move toward a zero-trust model for local development environments:
- Sandboxing: Always use isolated containers (e.g., Docker, Dev Containers) when performing coding tests or investigating unknown repositories.
- Strict Version Control Hygiene: Explicitly add
.vscode/to your global or project-level.gitignoreto prevent accidental propagation. - Enforce Integrity: Implement mandatory signed commits (GPG/SSH) and configure repository settings to block force-pushes to protected branches.
- Code Auditing: Scan for suspicious patterns in configuration files, specifically looking for the
global[‘!’]initialization marker used by the obfuscated JavaScript loaders. - Network Monitoring: Monitor for unusual outbound traffic directed toward blockchain RPC endpoints or unknown C2 infrastructures.
As attackers continue to move “left” into the development phase, our security measures must evolve beyond the perimeter and into the very tools we use to build the future.