Next.js jobseekers targeted with malicious 'interview' repos • The Register

Next.js developers are once again in the crosshairs as hackers seed malicious repositories disguised as legitimate projects, according to Microsoft, which said a limited set of those repos were directly tied to observed compromises. Microsoft said the repositories use different methods to execute on developers' machines, but all lead to the same outcome: in-memory execution of malicious JavaScript.

All of the execution paths identified by its research team are designed to trigger during the Next.js devs' normal working routine. One, for example, abuses Visual Studio Code's workspace automation to load files as soon as the dev opens and trusts the project. In these cases, the variants tend to retrieve a JavaScript loader from Vercel and execute it using Node.js, then begin beaconing to attacker-controlled command-and-control (C2) infrastructure for further tasking.

Other paths involve the targeted developers running the project's development server either directly or via npm run dev, where malicious logic embedded in trojanized assets or modified libraries (such as altered frontend files) retrieves and executes the loader. Others rely on victims starting the application's backend, triggering preloaded logic hidden in backend modules during server initialization or module import.

Regardless of the path taken, the end result is always to register the affected device, run the JavaScript loader, and establish a connection with the attacker's C2 infrastructure. Using a separate C2 IP address and API set handed off by the initial stage, the controller retrieves a messages[] array of JavaScript tasks and executes them in memory using a separate Node interpreter to reduce on-disk artifacts. This process also allows for data exfiltration. On developer machines, this could include anything from personal data to source code, secrets, or cloud resources.

Microsoft said the controller is capable of rotating its identifiers to prevent anti-malware solutions and human defenders from identifying patterns of suspicious activity, in addition to receiving the attacker's instructions. The controller will also obey kill-switch or shutdown commands, track the processes it spawns to prevent the victim from suspecting anything is awry based on performance issues, and report error telemetry, allowing attackers to tweak the commands that fail.

The projects are disseminated by miscreants under the guise that they are used as part of the hiring process, requiring developers to complete tasks related to job applications. And while it's difficult to imagine that targeted devs would complete these interview assessment tasks on a corporate machine, Microsoft warned that doing so could open up an organization to a wider compromise.

It added: "The key takeaway is that defenders should treat developer workflows as a primary attack surface and prioritize visibility into unusual Node execution, unexpected outbound connections, and follow-on discovery or upload behavior originating from development machines."

This campaign represents a significant evolution in supply chain attacks targeting the JavaScript ecosystem. Unlike traditional npm package compromises that affect multiple downstream projects, these malicious repositories are highly targeted, appearing to focus specifically on Next.js developers who may be actively seeking employment opportunities.

The sophistication of the attack vectors is particularly concerning. By abusing Visual Studio Code's workspace automation, attackers can execute malicious code before a developer even has a chance to review the repository's contents. The use of in-memory execution techniques makes detection more difficult, as traditional file-based scanning methods may miss the malicious activity entirely.

For developers, the implications are clear: exercise extreme caution when accepting coding challenges from unknown sources, particularly those that require running development servers or trusting workspace configurations. Organizations should consider implementing additional controls around developer workstations, including network monitoring for unusual outbound connections and behavioral analysis to detect anomalous Node.js execution patterns.

Microsoft's warning serves as a reminder that the modern software supply chain extends beyond package managers and build tools - it now includes the very workflows and tools developers use every day. As attackers continue to innovate, defenders must adapt their strategies to protect not just code, but the entire development lifecycle.