Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
In some compromised repositories, we observed both techniques being present simultaneously (i.e., the malicious .vscode/tasks.json alongside the appended obfuscated JavaScript). We believe that there were cases where developers fell victim to both propagation methods separately, but also cases where the attackers used both techniques on one victim.
This “double infection” mechanism provides redundancy. The tasks.json catches developers using VS Code (triggering on folder open), while the injected JavaScript executes for anyone who builds or runs the project regardless of their IDE. Together, they guarantee malware execution.
The organizational amplifier
The worm-like propagation poses higher risk when it reaches developers with commit access to organizational or popular open-source repositories. We identified compromised repositories belonging to the following organizations:
- DataStax: At least five repositories found compromised between January 31 and February 3, 2026, which have since been cleaned.
- Neutralinojs: They had 8,400 stars and 495 forks, where all four repositories were force-pushed with malicious commits in a single automated burst on March 2, 2026. The commits were backdated between 5 and 35 days to blend with legitimate history, and the attack went undetected for 3 days until identified and remediated by the OpenSourceMalware team.
These organizations were found carrying malicious code snippets consistent with these techniques. While we cannot confirm the exact chain of events within these organizations, the indicators are consistent with a scenario where a contributor with commit access was first compromised through the social engineering lure (flow 1), which subsequently enabled the infection of the organizational repositories (flow 2). Once a repository of this scale is compromised, every contributor, every fork, and every downstream project that depends on it becomes a potential victim. This amplifies the scope of the campaign from a single developer to an entire ecosystem.
This propagation model is fundamentally different from traditional supply chain attacks, such as the SolarWinds incident that required the compromise of the build infrastructure. Here, no build system is breached. The attack exploits something far simpler:
- Developer workflow habits
- The tendency to not include .vscode folders in gitignore
- Not reviewing configuration files line by line
- Trusting the contents of their own repositories.
It is also distinct from traditional network worms, which exploit software vulnerabilities to propagate. This campaign propagates through trust in development tools, in colleagues’ commits, and in open-source projects.
With the propagation model established, we now turn to the malware that these infection vectors deliver.
The malware in brief: DEV#POPPER RAT variant
The tasks.json vector (flow 1) acts as a straightforward downloader, fetching and executing a payload from a remote URL or bundled file. However, the obfuscated JavaScript injected into source code files (flow 2) is part of a more complex approach. It functions as a multistage loader, which is designed to retrieve and execute payloads from blockchain infrastructure. It progresses through four stages, each employing layers of string shuffling, hexadecimal obfuscation, and character swap algorithms to hinder analysis.
The loader queries the Tron blockchain API to fetch a transaction from a hardcoded wallet address. The data extracted from this transaction is used as a reference key to retrieve an encrypted payload from a Binance Smart Chain (BSC) transaction’s input data field. If the Tron query fails, the loader falls back to the Aptos blockchain as an alternative data source.
The retrieved payload is XOR-decrypted using a hardcoded key and executed via eval() or by spawning a persistent hidden background process. Across stages, the loader rotates wallet addresses and transaction hashes, allowing each stage to independently update its pointers by simply posting a new transaction to the corresponding blockchain without modifying the malware’s code.
This blockchain-based staging mechanism is particularly significant because it functions as a general-purpose delivery platform. Since the payload is retrieved dynamically from immutable blockchain transactions, the threat actor can deliver any malware from their toolset by simply updating the blockchain reference, including other malware that have been linked to North Korea, such as InvisibleFerret, OtterCookie, OmniStealer, DEV#POPPER, and BeaverTail, all of which have been observed in Void Dokkaebi’s operations. A single infected repository can serve as a delivery vector for different payloads at different times, depending on the threat actor’s operational objectives.
DEV#POPPER RAT
One of the payloads delivered through this infrastructure is a variant of the DEV#POPPER RAT (version marker 260311), a cross-platform Node.js remote access trojan (RAT) previously documented by eSentire.
The variant we analyzed introduces a multi-operator session management system, where several operators can work on a compromised machine simultaneously through independent command queues. This indicates team-based operations rather than a single attacker.
The backdoor communicates with its command-and-control (C&C) server via WebSocket (using socket.io-client). It uses HTTP for file uploads, directory exfiltration, and logging, specifically through the ‘/verify-human/[VERSION]’ endpoint for heartbeat and notification, and ‘/u/f’ for data exfiltration.
These distinctive network patterns provide researchers and analysts with reliable signatures for identifying infected devices. WebSocket connections to unexpected endpoints combined with HTTP traffic matching these URL patterns on developer workstations are strong indicators of compromise.
Two aspects of this variant are directly relevant to the propagation model:
- The RAT specifically detects and avoids CI/CD environments (e.g., GitLab CI, BuildBot) and cloud sandboxes, executing only on real developer workstations. This means automated pipeline scanning will miss it entirely.
- For persistence, it injects versioned code (markers: C250617A through C250620A) into developer applications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop) and creates a hidden .node_modules folder for Node.js module search order hijacking. This persistence into developer tooling creates additional opportunities for the worm-like propagation described earlier.
The scale of contamination
To quantify the campaign’s reach, we scanned public code hosting platforms in late March 2026. The following statistics provide a snapshot of the contamination across public repositories.
About Author
