North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels

Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes

The article describes North Korean–linked campaigns (Contagious Interview / Famous Chollima / HexagonalRodent / Void Dokkaebi) that weaponize developer tools and workflows—including fake code reviews, job-recruitment lures, and malicious GitHub/GitLab repositories—to deliver malware through IDEs and dev environments.[3][4] These operations specifically target developers and crypto/Web3 projects by turning trusted tooling (e.g., VS Code projects and cloned repos) into delivery channels for credential theft, backdoors, and crypto theft.[3][4] From a CyberSE.AI perspective, this is a critical AI/software supply chain issue: any AI agents or AI model pipelines that automatically clone, build, or execute code from external repositories could be compromised in the same way unless there is strong provenance verification, repository trust policies, and SBOM-driven validation. Organizations should pair supply-chain hardening (provenance checks, signed artifacts, dependency vetting) with continuous red teaming of AI-assisted development and deployment pipelines to detect and contain such dev-tool–based intrusion paths.