Skip to content
Tech News
← Back to articles

DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'

2026-04-22 | original
read original more articles
Why This Matters

The evolving North Korean 'Contagious Interview' scam now leverages compromised developer repositories to spread malware across the software supply chain, posing a significant threat to organizations and open-source projects. This self-propagating attack vector highlights the increasing sophistication of nation-state cyber threats targeting critical infrastructure and developer ecosystems, emphasizing the need for enhanced security measures in software development and supply chain management.

Key Takeaways

The infamous phony job-offer ploy by North Korean threat actors is evolving into a self-propagating machine that uses compromised developer projects to infect other code repositories and spread like wildfire through the software supply chain.

The so-called "Contagious Interview" gambit that has been tracked for several years has now firmly moved beyond single-target social engineering attacks aimed at compromising organizations via the developer ecosystem: it is now a significant supply chain threat where a compromised developer's repository itself becomes a worm-like infection vector to spread remote access Trojans (RATs) and other malware, according to a report published this week by Trend Micro.

The latest manifestation of the campaign is by a North Korean actor tracked by Trend Micro as Void Dokkaebi, aka Famous Chollima, which uses fake job lures that target developers with "cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure," Trend Micro senior threat researcher Lucas Silva wrote in the report.

Related:Exploits Turn Windows Defender Into Attacker Tool

Attackers use malicious Visual Studio (VS) Code tasks and injected code that can execute during normal development activity to spread malware through the software supply chain as well as steal credentials to crypto wallets and other secrets, according to the report. "When that compromised code reaches organizational or popular open-source repositories, contributors, forks, and downstream projects can also be exposed," he wrote.

Moreover, the campaign uses blockchain infrastructure for payload staging — including Tron, Aptos, and Binance Smart Chain — which puts parts of its delivery infrastructure beyond traditional security takedowns, he said.

Latest Wave of Infections

Void Dokkaebi systematically targets software developers by posing as recruiters from cryptocurrency and AI firms to lure developers into cloning and executing code repositories as part of a testing process during fake job interviews, according to Trend Micro.

These ongoing campaigns abuse the trust that developers have in the common practice used by organizations to submit prospective candidates to a technical test during a job interview, Joshua Allman, staff tactical response analyst at security firm Huntress, tells Dark Reading.

"Because they are targeting people looking for work, the attackers are likely to have a more engaged target and they can be incredibly precise with who they target," he says. This can lead to a downstream impact of thousands if they are successful at compromising a popular package/project, Allman observes.

... continue reading

Explore topics: north korea void dokkaebi software supply chain visual studio code malware
Related:
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions
KelpDAO suffers $290 million heist tied to Lazarus hackers
North Korea hackers blamed for $290M crypto theft
North Korean hackers blamed for $290M crypto theft
30 WordPress Plugins Turned Into Malware After Ownership Change

© 2026 GoKawiil

About | Editorial Policy | Contact