Malicious Next.js Repos Target Developers Via Fake Job Interviews

In a campaign linked to North Korea's fictitious job-recruitment scams, attackers are targeting developers with malicious Next.js repositories to carry out remote code execution (RCE) and create a persistent command-and-control (C2) channel on infected machines This article explores researchers microsoft defender. . Microsoft raised the alarm about the activity, which distributes malicious repositories under the guise of authentic Next.js projects and technical evaluation materials.

Researchers from the Microsoft Defender Security Research Team and Microsoft Defender Experts found multiple Trojanized repositories that provided distinct ways to deliver a backdoor to compromise developer systems. "The campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control," the two Microsoft security teams wrote in a blog post on Tuesday.

Related: Medusa Ransomware Is the New Poison Selected by Lazarus Group The researchers observed that the activity "aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution," a cluster linked to North Korea's Lazarus APT, without explicitly blaming the campaign on North Korea. Associated:Operation DoppelBrand: Using Fortune 500 Brands as Weapons Threat actors' dedication to targeting developers in order to create a spy channel and contaminate the software supply chain overall is demonstrated by the most recent discovery of weaponized Next.js repositories.

Microsoft states that in order to prevent this, DevSecOps leaders and secrity operations teams "should treat developer workflows as a privileged attack surface, integrating IDE trust policies, behavioral analytics, and continuous monitoring into broader threat detection and response programs." Organizations can accomplish this by prioritizing visibility into unexpected Node.js execution patterns and anomalous outbound connections from developer endpoints; implementing attack surface reduction rules via Microsoft Defender for Endpoint to constrain risky script execution behaviors; and enforcing stringent trust policies for IDEs such as Visual Studio Code.