A simple job interview could be all it takes to compromise your entire development environment.
In a sophisticated campaign, the North Korea-linked threat group Void Dokkaebi is targeting developers with fake job interviews, tricking them into running malicious code disguised as technical assessments. What starts as a routine coding test quickly turns into a supply chain attack, infecting repositories and spreading malware across teams and organizations.
This blog explains how the attack works, why it’s uniquely dangerous, and how developers and security teams can defend against it.
What Is Fake Job Interview Malware?
Fake job interview malware is a social engineering attack targeting developers, where attackers pose as recruiters and distribute malicious code through seemingly legitimate repositories.
Key Threat Actor: Void Dokkaebi (Famous Chollima)
- Linked to North Korean cyber operations
- Focuses on crypto, AI, and developer ecosystems
- Uses trusted platforms like GitHub, GitLab, Bitbucket
Why Developers Are Targeted
- High-value access to source code and infrastructure
- Ability to unintentionally spread malware via repositories
- Trust in collaborative coding environments
How the Attack Works
Step-by-Step Attack Chain
- Initial Contact
- Developer is approached on LinkedIn or similar platforms
- Attacker poses as a recruiter
- Fake Technical Interview
- Candidate is asked to complete a coding task
- Provided with a repository link
- Repository Cloning
- Repo appears legitimate
- Contains hidden malicious code
- Execution Trigger
- Opening the project triggers malware
- Often through VS Code configuration files
- System Compromise
- Remote access trojan (RAT) is installed
- Attacker gains control of the machine
- Worm-Like Propagation
- Malware spreads through the victim’s repositories
- Infects other developers automatically
Inside the Infection Chain
1. VS Code Task Abuse
Attackers exploit a hidden file:
.vscode/tasks.json
How it works:
- Executes automatically when the project opens
- Requires minimal user interaction
- Downloads or runs malicious payloads
2. Repository Poisoning
Once inside:
- JavaScript is injected into source files
- Malicious code is hidden using whitespace
- Hard to detect during code review
3. Commit Tampering
A script called:
temp_auto_push.bat
Performs:
- Rewriting commit history
- Preserving author name and timestamps
- Force-pushing malicious changes
Result:
Malicious commits appear legitimate.
4. Payload: DEVSPOPPER RAT
A cross-platform Node.js-based remote access trojan:
- Communicates via WebSocket
- Uses HTTP for data exfiltration
- Supports multiple attacker sessions
Evasion Techniques
- Detects CI/CD environments
- Avoids sandbox execution
- Runs only on real developer machines
Real-World Impact and Scale
By March 2026:
- 750+ infected repositories
- 500+ malicious VS Code task configs
- 100+ commit tampering instances
Even trusted projects were affected:
- DataStax
- Neutralinojs
Why This Is a Supply Chain Nightmare
- Malware spreads through legitimate commits
- Developers unknowingly infect others
- Traditional security tools often miss it
Why This Attack Is So Dangerous
1. Trust Exploitation
Developers trust:
- Code repositories
- Recruiters
- Open-source contributions
2. Self-Propagating Mechanism
- No need for repeated phishing
- Infection spreads automatically
3. CI/CD Blind Spots
- Malware avoids pipelines
- Evades automated scanning tools
4. Persistent Access
- Attackers maintain long-term control
- Multiple operators per infected system
Common Mistakes Developers Make
❌ Running Interview Code Locally
Never execute untrusted code on your main machine.
❌ Ignoring VS Code Prompts
Workspace trust prompts can trigger malicious tasks.
❌ Weak Git Controls
Unsigned commits allow tampering to go unnoticed.
Best Practices to Prevent This Attack
For Developers
- Use isolated environments (VMs/containers) for tests
- Never run interview code on personal machines
- Inspect
.vscode/configurations before opening projects
For Organizations
1. Enforce Secure Git Policies
- Require GPG or SSH-signed commits
- Enable branch protection rules
- Mandate pull request reviews
2. Block VS Code Exploits
- Add
.vscode/to.gitignore - Prevent execution of untrusted tasks
3. Monitor Developer Workstations
- Endpoint Detection & Response (EDR)
- Detect abnormal outbound connections
4. Threat Hunting Indicators
Look for:
global′!′′!′global’_V’temp_auto_push.bat
Network-Level Monitoring
Watch for connections to:
- Blockchain APIs (e.g., TronGrid)
- Binance Smart Chain endpoints
Frameworks and Standards Alignment
NIST Cybersecurity Framework
- Identify: Developer endpoint risks
- Protect: Secure coding environments
- Detect: Monitor unusual repo activity
- Respond: Contain compromised systems
- Recover: Restore clean codebases
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Initial Access | Spearphishing via recruitment |
| Execution | Malicious scripts (VS Code tasks) |
| Persistence | Code injection in repositories |
| Defense Evasion | Commit tampering |
| Command & Control | WebSocket-based RAT |
Tools to Strengthen Defense
- Endpoint Detection & Response (EDR)
- Secure code scanning tools
- Git security platforms
- DevSecOps pipelines
- Threat intelligence feeds
FAQs: Fake Job Interview Malware
1. What is fake job interview malware?
It’s a social engineering attack where developers are tricked into running malicious code during fake interviews.
2. Who is behind this campaign?
The threat group Void Dokkaebi, linked to North Korea.
3. How does the malware spread?
Through infected repositories and compromised developer accounts.
4. What is DEVSPOPPER?
A Node.js-based remote access trojan used to control infected machines.
5. Why doesn’t CI/CD detect it?
The malware avoids running in automated environments and targets real machines.
6. How can developers stay safe?
Use isolated environments, verify code, and enforce secure Git practices.
Conclusion
The Void Dokkaebi fake job interview campaign highlights a dangerous evolution in cyber threats—where developer workflows themselves become the attack vector.
By combining social engineering, supply chain compromise, and stealthy malware propagation, attackers can scale infections across entire ecosystems.
Key takeaway:
Never run untrusted code—especially during job interviews.
Organizations must adopt DevSecOps best practices, enforce repository security, and prioritize endpoint protection for developers.
Now is the time to audit your development workflows and secure your software supply chain.
