North Korean Threat Actor Targets Developers in Large-Scale Phishing Campaign A likely North Korean threat actor has conducted a sophisticated phishing campaign, targeting nearly 100 organizations primarily in the U.S. with fake job offers and code-review requests to steal cryptocurrency and credentials. The operation, tracked by Proofpoint as UNK_DeadDrop, sent over 250 malicious emails in April and May 2026, focusing on employees in technology, education, finance, and cryptocurrency firms. ### How the Attack Worked The campaign used shifting pretexts including fake full-stack developer roles, AI payment agent projects, and ERC-4626 smart-contract testing to lure victims into cloning malicious GitHub or GitLab repositories. Once opened in VS Code or Cursor, a hidden tasks.json file executed automatically, exploiting a legitimate editor feature. - VS Code displayed a trust prompt, but Cursor ran the payload silently without user interaction. - The malware installed a fake Google-themed VS Code extension, ensuring persistence by relaunching on macOS and Linux whenever the editor reopened. - Linux/macOS systems received a Go-based remote access trojan (RAT) from the open-source Overlord framework, while Windows ran JavaScript directly in the editor, leaving no disk footprint. ### Data Theft & Wallet Drainage The malware targeted cryptocurrency wallets and browser credentials, including: - Browser extensions: MetaMask, Phantom, Keplr - Desktop wallets: Exodus, Electrum, Ledger Live - Saved passwords & cookies from Chrome, Brave, Edge, and Firefox To bypass security: - macOS/Linux displayed a fake password prompt, using the input to escalate privileges and dump keychains. - Windows bypassed Chrome’s app-bound encryption to extract data. After exfiltration, the malware deleted itself to evade detection. ### Attribution & Distinct Tactics While resembling Contagious Interview a long-running North Korean operation Proofpoint tracks UNK_DeadDrop separately due to its email-led delivery, large-scale repository creation, and self-contained payloads that persist even after infrastructure takedowns. Though attribution remains unconfirmed, the campaign aligns with North Korea’s history of targeting developers since 2022.

GitLab Releases Critical Security Patches for High-Severity Vulnerabilities GitLab has issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities in versions 18.8.4, 18.7.4, and 18.6.6. The patches mitigate risks including denial-of-service (DoS) attacks, cross-site scripting (XSS), and unauthorized data access, which could expose sensitive information like access tokens. The most critical flaw, CVE-2025-7659 (CVSS 8.0), involves incomplete validation in GitLab’s Web IDE, allowing unauthenticated attackers to steal tokens and access private repositories. Other notable vulnerabilities include CVE-2025-8099 (CVSS 7.5), a DoS risk in GraphQL introspection, and CVE-2026-0958 (CVSS 7.5), which exploits weak JSON validation to exhaust server resources. XSS and injection flaws, such as CVE-2025-14560 (CVSS 7.3), could enable session hijacking or fake content delivery. Additional risks include DoS in Markdown tools and dashboards, as well as server-side request forgery (SSRF) vulnerabilities that could probe internal networks. GitLab.com users are already protected, but self-managed instances require immediate updates to prevent exploitation. The patches highlight the ongoing threat of automated attacks targeting unpatched systems. Full details are available in GitLab’s release notes.

CISA Warns of Actively Exploited SSRF Vulnerability in GitLab The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding an actively exploited Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, tracked as CVE-2021-39935. The flaw, added to CISA’s Known Exploited Vulnerabilities Catalog on February 3, 2026, allows unauthenticated attackers to force GitLab servers to make unauthorized requests via the CI Lint API, potentially exposing internal systems or enabling further exploitation. The vulnerability stems from improper URL validation during CI/CD configuration checks, enabling attackers to scan internal networks, leak credentials, or exploit connected services. While GitLab patched the issue in 2021, recent reports indicate renewed exploitation of unpatched instances, particularly those exposed to the internet. CISA has set a February 24, 2026 deadline for federal agencies to mitigate the flaw under Binding Operational Directive (BOD) 22-01. The agency highlights the risk of supply-chain attacks, as SSRF flaws in CI/CD pipelines can expose cloud metadata services, revealing sensitive tokens or configurations. Though no specific threat actor has been attributed, SSRF vulnerabilities have historically been used for crypto-mining, lateral movement, and initial access in broader compromises. GitLab has released security updates for affected versions. Organizations are advised to upgrade immediately, restrict API exposure, monitor logs for suspicious activity, and implement network segmentation to limit potential damage. Given GitLab’s widespread use in DevOps workflows, unpatched instances remain a prime target for attackers.

GitLab disclosed nine vulnerabilities across its Community (CE) and Enterprise (EE) editions, with CVE-2025-6945 being the most critical—a prompt-injection flaw in GitLab Duo’s AI-powered review feature that allows authenticated attackers to exfiltrate sensitive data from confidential issues via hidden prompts in merge request comments. This exploit leverages AI’s lack of input validation, turning an AI assistant into a vector for data leakage. Additionally, CVE-2025-11224 (a stored XSS vulnerability in the Kubernetes proxy) enables authenticated users to execute malicious scripts, while CVE-2025-2615 and CVE-2025-7000 expose confidential data through GraphQL subscriptions and branch name leaks, respectively. The flaws span versions back to 15.10, creating a broad attack surface for organizations running unpatched instances. Though no evidence of active exploitation exists, the vulnerabilities risk unauthorized access to proprietary code, internal discussions, and project metadata, potentially aiding supply-chain attacks or competitive espionage. GitLab has released patches (versions 18.5.2, 18.4.4, 18.3.6) and urged immediate upgrades for self-managed deployments.

A critical vulnerability discovered in GitLab Community could enable an attacker to steal runner registration tokens. The vulnerability announced in GitLab security advisory affects all versions. If this vulnerability is exploited then an unauthorized user can steal runner registration tokens through an information disclosure vulnerability using quick actions commands.

North Korean Threat Actors Exploit IT Recruitment to Deploy Malware and Infiltrate Organizations GitLab’s recent research has uncovered a sophisticated campaign by North Korean threat actors who weaponize the tech recruitment process to target software developers particularly in the cryptocurrency and financial sectors. Posing as recruiters or hiring managers, these actors trick developers into executing malicious payloads under the guise of technical assessments, bypassing traditional security defenses by exploiting trusted hiring pipelines. The operation, active since at least 2019 and intensifying in 2022, involves fake IT workers often operating from locations like Moscow and Beijing who infiltrate organizations through freelance platforms and smaller companies. One Beijing-based cell, comprising eight North Korean nationals, generated over $1.64 million between Q1 2022 and Q3 2025, with individual earnings exceeding $11,000 per member in Q3 2025. These groups maintain elaborate synthetic personas, sometimes controlling up to 21 unique identities, complete with stolen U.S. documents and fabricated professional histories. Key Tactics and Evolution - Malware Delivery: Threat actors abuse private code repositories (including GitLab and Visual Studio Code) to distribute obfuscated loaders for malware like BeaverTail and Ottercookie, often hosted externally. - AI-Driven Tradecraft: North Korean groups increasingly rely on AI to refine malware obfuscation, automate synthetic identity creation, and scale deception operations. Tools like ClickFix and generative AI have lowered the barrier for large-scale fraud. - Targeting Preferences: While U.S.-based developers and fintech firms are primary targets, the campaigns are opportunistic, spanning multiple industries. Smaller organizations with limited vetting processes are particularly vulnerable. - Operational Security: Actors use consumer VPNs, VPS infrastructures, and laptop farms to mask their origins, though some access was traced to dedicated servers. GitLab’s Response and Findings GitLab disrupted the campaign by banning 131 North Korean-attributed accounts in 2025, many linked to the "Contagious Interview" scheme. Compromised repositories contained sensitive data, including passport scans, banking records, performance reviews, and financial spreadsheets revealing the groups’ internal hierarchies and revenue streams. Performance evaluations even assessed members’ contributions to household tasks (e.g., laundry, shared groceries) alongside technical and ideological adherence. Broader Implications The research highlights the parallel operations of multiple DPRK teams, which share tradecraft but operate with limited coordination. The shift toward AI-enhanced deception and malicious NPM dependencies signals a growing sophistication in social engineering and supply-chain attacks. While freelance platforms remain a common entry point, larger organizations are also at risk as these scams expand in scope. GitLab’s report includes over 600 indicators of compromise to aid defenders in detecting and mitigating such threats. The findings underscore the persistent threat posed by state-aligned actors exploiting trust in the tech hiring ecosystem.

Critical GitLab SSRF Vulnerability Under Active Exploitation, CISA Warns The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-39935, a severe server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw resides in GitLab’s CI Lint API, allowing unauthenticated attackers to manipulate the server into making unauthorized requests to internal systems. By exploiting this weakness, threat actors can bypass perimeter defenses, access restricted resources, and potentially move laterally within compromised networks. The vulnerability (tracked as CWE-918) poses risks including data exposure, supply chain compromise via CI/CD pipeline manipulation, and unauthorized access to cloud metadata or internal infrastructure. Both GitLab Community and Enterprise Editions are affected, with CISA’s inclusion in the KEV catalog underscoring the urgency of remediation. While no direct links to ransomware campaigns have been confirmed, the flaw’s potential for initial access makes it a prime target for advanced persistent threat (APT) groups and initial access brokers. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch (FCEB) agencies must patch or mitigate the vulnerability by February 24, 2026. Organizations unable to apply fixes are advised to discontinue use of affected GitLab instances until updates are available. GitLab has released patches, and administrators are urged to upgrade immediately, review CI Lint API configurations, and monitor logs for suspicious activity such as unusual API requests or unexpected internal connections originating from GitLab servers. Cloud-hosted GitLab users should adhere to BOD 22-01 guidance for securing cloud services. The incident highlights the growing threat of SSRF attacks, which can evade traditional security measures by leveraging trusted servers as proxies for malicious activity.