Cyber: Microsoft Warns Developers Of Fake Next.js Job Repos Delivering...
A "coordinated developer-targeting campaign" is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines.
"The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution," the Microsoft Defender Security Research Team said in a report published this week.
The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).
The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like "Cryptan-Platform-MVP1" to trick developers looking for jobs into running as part of an assessment process.
Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory -
Microsoft noted that all three methods lead to the same JavaScript payload that's responsible for profiling the host and periodically polling a registration endpoint to get a unique "instanceId" identifier. This identifier is subsequently supplied in follow-on polls to correlate activity.
It's also capable of executing server-provided JavaScript in memory, ultimately paving the way for a second-stage controller that turns the initial foothold into a persistent access pathway for receiving tasks by contacting a different C2 server and executing them in memory to minimize leaving traces on disk.
"The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint, and includes retry logic for resilience," Microsoft said. "It also tracks spawned processes and can stop managed activity and exit cleanly when instructed. Beyond on-demand code execution, Stage 2 supports operator-driven discovery and exfiltration."
While the Windows maker did not attribute the activity to a specific threat actor, the use of VS Code tasks and Vercel domains to stage malware is a tactic that has been adopted by North Korea-linked hackers associated with a long-running campaign known as Contagious Interview.
The end goal of these efforts is to gain the ability to deliver malwar
