The North Korean threat actor Void Dokkaebi is conducting a self-propagating supply chain attack by impersonating recruiters to trick developers into downloading malicious GitHub/GitLab repositories. Opening these repositories with a malicious Visual Studio Code configuration triggers automated malware infection, and the compromised code spreads further when cloned by new victims. The campaign has compromised over 750 repositories, deployed a remote access trojan, and utilized a Git history-rewriting tool to conceal code injections.
Supply chain , Threat Intelligence , DevOps North Korean hackers operate self-propagating supply chain hack April 28, 2026 Share By SC Staff (Adobe Stock) North Korean state-sponsored threat operation Void Dokkaebi, also known as Famous Chollima , has leveraged phony job interviews to compromise developers with malware as part of a self-spreading supply chain intrusion campaign, GBHackers News reports. Attacks commenced with the impersonation of cryptocurrency or AI firm recruiters in a bid to lure developers into downloading seemingly legitimate GitHub or GitLab repositories to complete a coding exam, an analysis from Trend Micro researchers showed. Opening the repositories with illicit Visual Studio Code configurations triggers automated task execution and malware infection. With the compromised code's commitment to a repository enabling the malicious .vscode configuration, subsequent cloning of the initial repository turns every additional victim into a distributor of the malware. Void Dokkaebi was also observed to have conducted direct code injection, which was concealed through the use of a Git history-rewriting commit tampering tool. Multiple blockchain networks have been tapped to host and deploy several payloads, including a DEV#POPPER remote access trojan. Aside from compromising over 750 repositories, such a campaign was noted to have led to more than 500 nefarious VS Code task configurations and the injection of the commit tampering tool across 101 repositories. SC Staff Related Threat Management GlassWorm attackers activate new ‘sleeper’ extensions on Open VSX Laura French April 28, 2026 A new cluster of 73 extensions impersonating legitimate projects has been tied to the GlassWorm campaign. Data Security Further Vercel customer data compromise confirmed SC Staff April 24, 2026 TechCrunch reports that Vercel has disclosed that unencrypted customer information had been compromised prior to this month's breach that affected its internal systems. Supply chain Checkmarx supply chain hack impacts Bitwarden CLI SC Staff April 24, 2026 Bitwarden CLI was reported by Socket and JFrog researchers to have been affected by the TeamPCP-linked supply chain intrusion against Checkmarx, according to The Hacker News. Related Events Cybercast From code to cloud: Stopping attacks in the software supply chain Wed Apr 29 Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting DNS Spoofing Deauthentication Attack Defacement Dictionary Attack Distributed Scans DumpSec Google Hacking Hybrid Attack Password Cracking You can skip this ad in 5 seconds