Cybersecurity

Cyber: Fake Next.js Job Interview Tests Backdoor Developer's Devices

2026-02-25 0 views admin
Cyber: Fake Next.js Job Interview Tests Backdoor Developer's Devices

A coordinated campaign targeting software developers with job-themed lures is using malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests.

The attacker's goal is to achieve remote code execution (RCE) on developer machines, exfiltrate sensitive data, and introduce additional payloads on compromised systems.

Next.js is a popular JavaScript framework used for building web applications. It runs on top of React and uses Node.js for the backend.

The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments.

The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns.

When the target clones the repository and opens it locally, following a standard workflow, they trigger malicious JavaScript that executes automatically when launching the app.

The script downloads additional malicious code (a JavaScript backdoor) from the attacker's server and executes it directly in memory with the running Node.js process, allowing remote code execution on the machine.

To increase the infection rate, the attackers embedded multiple execution triggers within the malicious repositories, Microsoft explained. These are summarized as follows:

The infection process drops a JavaScript payload (Stage 1) that profiles the host and registers with a command-and-control (C2) endpoint, polling the server at fixed intervals.

The infection then upgrades to a tasking controller (Stage 2) that connects to a separate C2 server, checks for tasks, executes supplied JavaScript in memory, and tracks spawned processes. The payload also supports file enumeration, directory browsing, and staged file exfiltration.

Source: BleepingComputer

🏷️ Tags

attack

More from Cybersecurity

Cyber: Critical Flaws In Claude Code Put Developers' Machines At Risk

Cyber: Critical Flaws In Claude Code Put Developers' Machines At Risk

2026-02-25 0
Cyber: Critical Ramp Forum Seizure Fractures Ransomware Ecosystem

Cyber: Critical Ramp Forum Seizure Fractures Ransomware Ecosystem

2026-02-25 0
Cyber: Pci Council Says Threats To Payments Systems Are Speeding Up

Cyber: Pci Council Says Threats To Payments Systems Are Speeding Up

2026-02-25 0
Cyber: Critical Cisco Sd-wan Bug Exploited In Zero-day Attacks Since 2023

Cyber: Critical Cisco Sd-wan Bug Exploited In Zero-day Attacks Since 2023

2026-02-25 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views