{"id":60515,"date":"2026-04-21T00:00:00","date_gmt":"2026-04-21T00:00:00","guid":{"rendered":"urn:uuid:8f974fda-7558-7a9b-31fb-0440c1b55662"},"modified":"2026-04-21T00:00:00","modified_gmt":"2026-04-21T00:00:00","slug":"void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/","title":{"rendered":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/void-dokkaebi-weaponizes-developer-ecosystem:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/void-dokkaebi-weaponizes-developer-ecosystem.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>In some compromised repositories, we observed both techniques being present simultaneously (i.e., the malicious <span class=\"code\">.vscode\/tasks.json<\/span> alongside the appended obfuscated JavaScript). We believe that there were cases where developers fell victim to <i>both<\/i> propagation methods separately, but also cases where the attackers used both techniques on one victim.<\/p>\n<p>This \u201cdouble infection\u201d mechanism provides redundancy. The <span class=\"code\">tasks.json<\/span> catches developers using VS Code (triggering on folder open), while the injected JavaScript executes for anyone who builds or runs the project regardless of their IDE. Together, they guarantee malware execution.<\/p>\n<h3><span class=\"body-subhead-title\">The organizational amplifier<\/span><\/h3>\n<p>The worm-like propagation poses higher risk when it reaches developers with commit access to organizational or popular open-source repositories.&nbsp;We identified compromised repositories belonging to the following organizations:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><span><a href=\"https:\/\/github.com\/datastax\/metric-collector-for-apache-cassandra\" target=\"_blank\">DataStax<\/a>: At least five repositories found compromised between January 31 and February 3, 2026, which have since been cleaned.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span><a href=\"https:\/\/github.com\/neutralinojs\/neutralinojs\" target=\"_blank\">Neutralinojs<\/a>: They had 8,400 stars and 495 forks, where all four repositories were force-pushed with malicious commits in a single automated burst on March 2, 2026. The commits were backdated between 5 and 35 days to blend with legitimate history, and the attack went undetected for 3 days until <a href=\"https:\/\/opensourcemalware.com\/blog\/neutralinojs-compromise\" target=\"_blank\">identified and remediated by the OpenSourceMalware team<\/a>.<\/span><\/span><\/li>\n<\/ul>\n<p>These organizations were found carrying malicious code snippets consistent with these techniques. While we cannot confirm the exact chain of events within these organizations, the indicators are consistent with a scenario where a contributor with commit access was first compromised through the social engineering lure (flow 1), which subsequently enabled the infection of the organizational repositories (flow 2). Once a repository of this scale is compromised, every contributor, every fork, and every downstream project that depends on it becomes a potential victim. This amplifies the scope of the campaign from a single developer to an entire ecosystem.<\/p>\n<p>This propagation model is fundamentally different from traditional supply chain attacks, such as the SolarWinds incident that required the compromise of the build infrastructure. Here, no build system is breached. The attack exploits something far simpler:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><span>Developer workflow habits<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span>The tendency to not include .vscode folders in gitignore<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span>Not reviewing configuration files line by line<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span>Trusting the contents of their own repositories.<\/span><\/span><\/li>\n<\/ul>\n<p>It is also distinct from traditional network worms, which exploit software vulnerabilities to propagate. This campaign propagates through trust in development tools, in colleagues\u2019 commits, and in open-source projects.<\/p>\n<p>With the propagation model established, we now turn to the malware that these infection vectors deliver.<\/p>\n<p><span class=\"body-subhead-title\">The malware in brief: DEV#POPPER RAT variant<\/span><\/p>\n<p>The <span class=\"code\">tasks.json<\/span> vector (flow 1) acts as a straightforward downloader, fetching and executing a payload from a remote URL or bundled file. &nbsp;However, the obfuscated JavaScript injected into source code files (flow 2) is part of a more complex approach. It functions as a multistage loader, which is designed to retrieve and execute payloads from blockchain infrastructure. It progresses through four stages, each employing layers of string shuffling, hexadecimal obfuscation, and character swap algorithms to hinder analysis.<\/p>\n<p>The loader queries the Tron blockchain API to fetch a transaction from a hardcoded wallet address. The data extracted from this transaction is used as a reference key to retrieve an encrypted payload from a Binance Smart Chain (BSC) transaction\u2019s input data field. If the Tron query fails, the loader falls back to the Aptos blockchain as an alternative data source.<\/p>\n<p>The retrieved payload is XOR-decrypted using a hardcoded key and executed via <span class=\"code\">eval()<\/span> or by spawning a persistent hidden background process. Across stages, the loader rotates wallet addresses and transaction hashes, allowing each stage to independently update its pointers by simply posting a new transaction to the corresponding blockchain without modifying the malware\u2019s code.<\/p>\n<p>This blockchain-based staging mechanism is particularly significant because it functions as a general-purpose delivery platform. Since the payload is retrieved dynamically from immutable blockchain transactions, the threat actor can deliver any malware from their toolset by simply updating the blockchain reference, including other malware that have been linked to North Korea, such as InvisibleFerret, OtterCookie, OmniStealer, DEV#POPPER, and BeaverTail, all of which have been observed in Void Dokkaebi\u2019s operations. A single infected repository can serve as a delivery vector for different payloads at different times, depending on the threat actor\u2019s operational objectives.<\/p>\n<h3><span class=\"body-subhead-title\">DEV#POPPER RAT<\/span><\/h3>\n<p>One of the payloads delivered through this infrastructure is a variant of the DEV#POPPER RAT (version marker 260311), a cross-platform Node.js remote access trojan (RAT) previously <a href=\"https:\/\/www.esentire.com\/blog\/north-korean-apt-malware-analysis-dev-popper-rat-and-omnistealer-everyday-im-shufflin\" target=\"_blank\">documented by eSentire<\/a>.<\/p>\n<p>The variant we analyzed introduces a multi-operator session management system, where several operators can work on a compromised machine simultaneously through independent command queues. This indicates team-based operations rather than a single attacker.<\/p>\n<p>The backdoor communicates with its command-and-control (C&amp;C) server via WebSocket (using socket.io-client). It uses HTTP for file uploads, directory exfiltration, and logging, &nbsp;specifically through the \u2018\/verify-human\/[VERSION]\u2019 endpoint for heartbeat and notification, and \u2018\/u\/f\u2019 for data exfiltration.<\/p>\n<p>These distinctive network patterns provide researchers and analysts with reliable signatures for identifying infected devices. WebSocket connections to unexpected endpoints combined with HTTP traffic matching these URL patterns on developer workstations are strong indicators of compromise.<\/p>\n<p>Two aspects of this variant are directly relevant to the propagation model:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><span>The RAT specifically detects and avoids CI\/CD environments (e.g., GitLab CI, BuildBot) and cloud sandboxes, executing only on real developer workstations. This means automated pipeline scanning will miss it entirely.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><span>For persistence, it injects versioned code (markers: C250617A through C250620A) into developer applications (e.g., Antigravity, VS Code, Cursor, Discord, GitHub Desktop) and creates a hidden .node_modules folder for Node.js module search order hijacking. This persistence into developer tooling creates additional opportunities for the worm-like propagation described earlier.<\/span><\/span><\/li>\n<\/ul>\n<h2><span class=\"body-subhead-title\">The scale of contamination<\/span><\/h2>\n<p>To quantify the campaign\u2019s reach, we scanned public code hosting platforms in late March 2026. The following statistics provide a snapshot of the contamination across public repositories.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our research on Void Dokkaebi\u2019s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60516,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9509],"class_list":["post-60515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/void-dokkaebi-weaponizes-developer-ecosystem:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories\",\"datePublished\":\"2026-04-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/\"},\"wordCount\":973,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/\",\"name\":\"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg\",\"datePublished\":\"2026-04-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/","og_locale":"en_US","og_type":"article","og_title":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-21T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/void-dokkaebi-weaponizes-developer-ecosystem:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories","datePublished":"2026-04-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/"},"wordCount":973,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/","url":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/","name":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg","datePublished":"2026-04-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/04\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.jpg","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60515"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60515\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60516"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}