Cyber Incident Victim: DataStax
Date:
Mar 2026
Location:
United States of America
Summary
A North Korean threat actor tracked as Void Dokkaebi (also known as Famous Chollima) launched a fake‑job interview campaign that tricked developers into cloning malicious repositories containing harmful Visual Studio Code tasks and injected code. When victims opened the projects in VS Code and accepted the workspace trust prompt, the malicious task executed automatically, hid the .vscode folder on commit, and turned each compromised repository into a self‑propagating vector that spread remote access Trojans and other malware through the software supply chain, with infected repositories observed at companies including DataStax and Neutralinojs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The campaign attributed to the North Korean threat actor Void Dokkaebi, also known as Famous Chollima, begins with a fabricated job interview in which the victim is asked to clone a code repository and review or run it as part of a technical assessment. When the repository is opened in Visual Studio Code and the workspace trust prompt is accepted, a malicious VS Code task executes automatically, injecting code that can run during normal development activity. If the victim subsequently commits the code to GitHub, the .vscode folder becomes hidden by default, allowing the malicious code to act as a Trojan horse that triggers the same trust prompt for anyone who later clones the repository and opens it in VS Code, thereby creating a self‑propagating chain of infections. Each compromised developer seeds new repositories with the infection vector, and each new victim becomes a potential distributor of the malware, which includes remote access Trojans and other payloads. The attackers specifically target developers with lures that promise cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure, exploiting the trust placed in standard hiring technical tests.
In March 2026, Trend Micro reported identifying more than 750 infected code repositories, over 500 malicious VS Code task configurations, and 101 instances of the commit‑tampering tool used by Void Dokkaebi among the compromised assets. Repositories belonging to the data management company DataStax and the Java application provider Neutralinojs were found to carry infection markers, indicating that these organizations’ code bases were part of the propagation chain. The report noted that the campaign has been active since at least 2023, with the actors continually refining their tactics to extend beyond the initial interview‑based lure. Trend Micro’s analysis detailed how the abuse of VS Code’s workspace task system and the default hiding of the .vscode folder enable the malware to spread silently across downstream projects and developer environments. The findings underscore the scale of the supply‑chain threat posed by the self‑propagating “Contagious Interview” technique.