The infamous phony job-offer ploy by North Korean threat actors is evolving into a self-propagating machine that uses compromised developer projects to infect other code repositories and spread like wildfire through the software supply chain.
The so-called “Contagious Interview” gambit that has been tracked for several years has now firmly moved beyond single-target social engineering attacks aimed at compromising organizations via the developer ecosystem: it is now a significant supply chain threat where a compromised developer’s repository itself becomes a worm-like infection vector to spread remote access Trojans (RATs) and other malware, according to a report published this week by Trend Micro.
The latest manifestation of the campaign is by a North Korean actor tracked by Trend Micro as Void Dokkaebi, aka Famous Chollima, which uses fake job lures that target developers with “cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure,” Trend Micro senior threat researcher Lucas Silva wrote in the report.
Attackers use malicious Visual Studio (VS) Code tasks and injected code that can execute during normal development activity to spread malware through the software supply chain as well as steal credentials to crypto wallets and other secrets, according to the report. “When that compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed,” he wrote.
Moreover, the campaign uses blockchain infrastructure for payload staging — including Tron, Aptos, and Binance Smart Chain — which puts parts of its delivery infrastructure beyond traditional security takedowns, he said.
Latest Wave of Infections
Void Dokkaebi systematically targets software developers by posing as recruiters from cryptocurrency and AI firms to lure developers into cloning and executing code repositories as part of a testing process during fake job interviews, according to Trend Micro.
These ongoing campaigns abuse the trust that developers have in the common practice used by organizations to submit prospective candidates to a technical test during a job interview, Joshua Allman, staff tactical response analyst at security firm Huntress, tells Dark Reading.
“Because they are targeting people looking for work, the attackers are likely to have a more engaged target and they can be incredibly precise with who they target,” he says. This can lead to a downstream impact of thousands if they are successful at compromising a popular package/project, Allman observes.
Knowing this, North Korean attackers have abused this attack vector since at least 2023, and they’ve evolved their tactics to go well beyond that initial target. In March alone, Trend Micro identified more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool used by Void Dokkaebi. Repositories belonging to organizations such as data management company DataStax and Java application provider Neutralinojs, also were found to be carrying infection markers.
Moreover, the infected VS code propagation follows the discovery in December of a similar Contagious-Interview style attack that created a malicious npm package factory that operates like a well-oiled machine.
“Worm-Like Behavior”
The VS code initial infection chain starts with a fabricated job interview where the victim is asked to clone a code repository — hosted either on GitHub, GitLab, or Bitbucket and appearing legitimate — and review or run it as part of a technical assessment, according to Trend Micro.
The delivery mechanism abuses VS Code’s workspace task system so that when the victim opens the project in VS Code and accepts the workspace’s trust prompt, the task executes without further interaction. Microsoft did not respond immediately to an email by Dark Reading today requesting comment on this abuse of VS Code.
“In some cases, the task fetches the backdoor directly from a remote URL,” Trend Micro’s Silva wrote. “In others, it launches a font or image file bundled in the repository that contains the malicious payload, a different execution variant that achieves the same result.”
At this point, the attack compromises the targeted developer’s ecosystem; however, the “worm-like behavior” doesn’t start until the victim commits the code to GitHub, he noted.
When that happens, the .vscode folder becomes hidden by default, making the malicious code “an effective Trojan horse” that sends any developer who subsequently clones the repository and opens it in VS Code a trust prompt that, if accepted, repeats the cycle to create “a self-propagating chain” of infections, Silva wrote.
“Each compromised developer seeds new repositories with the infection vector, and each new victim becomes a potential distributor,” Silva wrote.
Software Developers on Alert
Fortunately, there are a number of ways enterprise development teams and developers in the job-seeking process can avoid being compromised by campaigns like this one and inadvertently infecting the supply chain via downstream propagation.
Organizations should ensure that all development projects use a lock file for dependency management, verify the integrity of updates, and always have some form of active endpoint protection “for when something slips through the cracks,” Allman tells Dark Reading.
Prospective job seekers also should “think twice before installing” anything presented to them by a prospective employer and, when presented with a routine coding task, “run it in a separate virtual machine/container that does not have access to any of your credentials/tokens/secrets,” he says.
Trend Micro also made recommendations to developers to avoid being compromised, including treating any external repository, even during a hiring workflow, as untrusted; detecting unauthorized changes and anomalous commits to any repository they’re working with; and limiting privileges and enforcing code-signing validation during the development process.
