Practical Cyber Intelligence for Business Leaders in Non-Superpower Nations

Trust Is the Attack Surface: How Developers Became North Korea's Preferred Entry Point

When the tools built to build software become the weapon — and why your hiring process may be the most dangerous moment in your security posture.

When I finished reading the report Trend Micro published on May 28, 2026, my immediate instinct was that this represents a qualitative shift, not merely a quantitative one. The updates that North Korea-linked threat group Void Dokkaebi made to its infostealer malware InvisibleFerret are not simply a matter of added features. The single most significant change to watch this week, in my view, is the migration to a format that compiles the malware code using Cython.

Cython is a technology originally designed to transpile Python code into C for performance optimization — a tool developers use to speed up their applications. Attackers are now repurposing it for obfuscation and analysis resistance through binary compilation. Conventional signature-based detection engines and static analysis tools that work by reading scripts directly lose much of their effectiveness when confronted with a compiled binary. From my perspective, having spent more than two decades in this industry, this demonstrates the technical maturity of attackers who have learned to turn the defenders' own knowledge base against them. I cite the Trend Micro report as the primary source for this development; on the question of attribution, I should note that multiple independent security organizations have confirmed a match in the tactics, techniques, and procedures associated with North Korea.

The sophistication of the infection vector also warrants attention. A campaign distributing malware through code repositories such as GitHub and GitLab under the guise of fake job interviews is still active, with targets concentrated among software developers in East Asia, including Japan, South Korea, and Taiwan. The premise of a coding test from a well-known tech company is sufficiently realistic and appealing to engineers looking to advance their careers. In many cases, the executed code is connected directly to a live work environment. The scenario is one where a personal device becomes the entry point for contaminating an organization's entire software supply chain.

This week, several independent threads converged on the same underlying theme: the tampering of Checkmarx KICS and elementary-data by a threat actor tracked as TeamPCP, and a supply chain compromise through legitimate distribution channels flagged by CISA. The common structure across all of these is the abuse of development tools and chains of trust. I do not believe this convergence is coincidental. Attackers have already arrived at a shared premise: that trust in developers is the most fragile entry point in modern systems.

Having spent more than two decades in this field, let me be direct. The attack vector where Japanese organizations are particularly vulnerable is not people — it is trust in process.

In Japanese engineering culture, trust in packages pulled from official repositories and in CI/CD tools — the automated pipelines used for continuous integration and continuous delivery — already embedded in the corporate environment is granted almost unconditionally. Checkmarx KICS is a product responsible for security scanning of IaC, the practice of managing infrastructure as code. The paradox of a tool designed to protect security being itself compromised has historically sat outside the assumptions of many domestic security teams. What I want you to recognize first is that this is no longer a hypothetical — it has manifested as a real incident this week.

The risk of Void Dokkaebi's fake interview campaign penetrating the Japanese market is also far from negligible. As hiring processes have become more digital and more global, receiving a recruiter message on LinkedIn from an overseas company has become an entirely ordinary experience. When a developer is asked to complete a coding test in English, how many of them would recognize it as an attack vector? Frankly, I think very few.

Turning to confirmed domestic incidents this week: a ransomware attack on Matsuzawa Shoten, an attack on the inquiry management system at CKC Group, and a possible data breach affecting personal information of supporters of the Yokohama DeNA BayStars. What stands out is the concentration of attacks on small and mid-sized businesses and sports organizations — sectors where cybersecurity investment is comparatively limited.

What these incidents share is a common misconception: "We are not large enough to be worth targeting." Attackers do not select targets by organizational size; they select by the ratio of attack cost to expected return. Organizations with thin defenses and high urgency to restore operations are the most efficient targets for the ransomware business model. This week's domestic cases illustrate that reality plainly.

If your first reaction to this week's incidents was that these are stories about large enterprises that have nothing to do with you, I want to challenge that assumption directly.

Consider the case of Matsuzawa Shoten. A wholesaler of sheet music and music-related books — a sector that seems, at first glance, far removed from cyberattacks — found itself in the serious situation of a complete halt to its ordering and shipping operations. The impact did not stop with the company itself; it cascaded to music schools, instrument retailers, and publishers in its supply chain. Wherever you sit in a supply chain, an operational shutdown propagates. The premise that "an attack on my company won't affect anyone else" is almost never valid in today's business environment.

The tampering of Checkmarx KICS and elementary-data by TeamPCP is not a distant concern for mid-sized companies that have their own software development teams. Organizations that have aggressively adopted open-source CI/CD tools to reduce costs are precisely the ones most likely to fall behind on verifying the integrity of their dependency packages. If a compromised package is used in a legitimate pipeline, credentials can be silently exfiltrated over an extended period. By the time anyone notices, an entire cloud environment may already be under the attacker's control. This week's incidents demonstrate that this scenario is real.

I also want to address the vulnerability in the LiteSpeed cPanel plugin. cPanel is a web server management panel in widespread use among small and mid-sized businesses, and LiteSpeed is its performance-enhancement plugin. Active exploitation of this vulnerability has already been confirmed. Any business owner who is unsure whether their hosting environment uses cPanel should contact their hosting provider immediately.

Two campaigns with suspected state involvement were independently confirmed this week. I am not in a position to condemn any particular nation-state, but calmly organizing the basis for attribution assessments and their implications is essential work for building a sound defensive strategy. I want to be clear upfront that attribution information is based on analysis by multiple independent security organizations and should not be treated as definitive.

On Void Dokkaebi: multiple independent security organizations have confirmed a match in the tactics, techniques, and procedures associated with North Korea. My analysis is that the Cython compilation of InvisibleFerret is intended not only to evade detection but also to prevent infrastructure identification through malware reverse engineering. The motivations common to North Korea-linked groups — foreign currency acquisition and technology theft — are directed squarely at software companies in East Asian countries with large IT workforces, and Japan is not excluded from that target set.

Shadow-Earth-053 is classified as a Chinese-nexus APT group and has continued to compromise government agencies and defense-related organizations across the Asia-Pacific region by exploiting unpatched Microsoft Exchange vulnerabilities — patches being software updates that fix known security flaws. Unpatched Exchange servers still exist in parts of Japan's public sector and private industry, and the possibility that those systems appear on this campaign's target list cannot be ruled out. This attribution assessment is a synthesis of analysis from multiple organizations, and I note that other possibilities have not been entirely excluded.

What both groups share is the ability to remain undetected while maintaining persistent long-term access. Cases where hundreds of days pass between initial compromise and discovery are not uncommon. Organizations involved in government, defense, or critical infrastructure should build the uncomfortable possibility that "no current issues" and "not yet detected" may be equivalent into the foundational assumptions of their defensive design.

Practical defensive actions drawn from this week's incidents

① Update Chrome immediately. The security update Google released this week addresses 151 vulnerabilities, 22 of which are rated critical. Verify the Chrome version across all devices in your organization and confirm that automatic updates are functioning correctly. In environments managed centrally via MDM, verify that your forced update policy is working as expected before the end of today.

② Lock dependency packages in your CI/CD pipelines using hash pinning. A hash is a unique verification value generated from a file's contents; validating it confirms that a package has not been tampered with. This week's tampering by TeamPCP demonstrated that a package name and version number alone are not sufficient to guarantee integrity. Enable hash verification in your package-lock.json or requirements.txt files and implement a mechanism that stops the build if an unexpected change is detected.

③ Update GitHub Enterprise Server to the latest patch. The critical vulnerability disclosed this week allows unauthorized access to enterprise source code repositories. Organizations running GHES on-premises should review GitHub's official release notes, identify the patch version that needs to be applied, and schedule its deployment. Users of the cloud-hosted GitHub.com are protected automatically, but on-premises operators need to act proactively.

④ Check the LiteSpeed plugin version on any web servers running cPanel. Active exploitation of this vulnerability has already been confirmed. Verify with your hosting provider whether your site's hosting environment uses cPanel, and if it does use the LiteSpeed plugin, request confirmation that it has been updated to the latest version and that the environment has been checked for indicators of compromise.

⑤ Define a policy right now around executing external code during the recruitment process. Void Dokkaebi's fake interview campaign exploits a pathway that depends entirely on individual developer judgment. Formalize a policy across your organization that states: do not execute code received from external parties during a hiring process on a work device. If you do not have a sandbox environment or a dedicated isolated machine for this purpose, this is also a good opportunity to bring the case for establishing one to leadership as a priority.

Next week, we continue tracking the evolving threat landscape — including any new developments from this week's supply chain and state-sponsored campaigns. See you Friday.

Written by a Japan-based information security professional with over 20 years of experience, in collaboration with AI assistants.

© 2026 Samurai Cyber Watch. Redistribution with attribution permitted for non-commercial use.