North Korean threat actors just ran a sophisticated recruiting scam targeting devs. Fake Fireblocks recruiters. Legitimate-looking interviews. Malware disguised as coding assignments. Our security team caught it, disrupted it, and here's exactly how it worked. 🧵

The setup was convincing: LinkedIn profiles with realistic work histories, professionally formatted PDFs, detailed Figma boards, and scheduled Google Meet interviews. No obvious typos. No red flags you'd normally expect from phishing attempts. This was different.

Candidates were asked to clone a GitHub repo and run npm install for a "code review task." Standard developer workflow. Nothing suspicious. Except the setup commands triggered malware execution. Classic Contagious Interview pattern from APT 38.