This campaign is a social engineering attack where threat actors, identified as the Lazarus Group, pose as recruiters and deliver malicious coding tests disguised as legitimate Next.js projects [microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/). The attack vector exploits developer workflows by embedding multiple execution triggers within the repositories, such as malicious `next.config.js` files or VS Code task configurations, which automatically download and execute a JavaScript backdoor in memory upon project launch or build [dzentota.medium.com](https://dzentota.medium.com/reverse-engineering-the-next-js-job-interview-malware-targeting-lastpass-crypto-de79b60a4edb), [cysecurity.news](https://www.cysecurity.news/2026/01/north-korean-hackers-abuse-vs-code.html). The primary mitigation is user awareness and rigorous vetting of unsolicited technical assessments, as the threat is not a software vulnerability but a coordinated campaign leveraging trusted platforms like GitHub, npm, and PyPI [rescana.com](https://www.rescana.com/post/lazarus-group-targets-npm-pypi-and-github-developers-with-fake-job-recruiter-malware-campaign).
Fake Next.js job interview tests backdoor developer's devices By Bill Toulas February 25, 2026 04:47 PM 0 A coordinated campaign targeting software developers with job-themed lures is using malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests. The attacker's goal is to achieve remote code execution (RCE) on developer machines, exfiltrate sensitive data, and introduce additional payloads on compromised systems. Multiple execution triggers Next.js is a popular JavaScript framework used for building web applications. It runs on top of React and uses Node.js for the backend. The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments. The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns. When the target clones the repository and opens it locally, following a standard workflow, they trigger malicious JavaScript that executes automatically when launching the app. The script downloads additional malicious code (a JavaScript backdoor) from the attacker's server and executes it directly in memory with the running Node.js process, allowing remote code execution on the machine. Overview of the attack chain Source: Microsoft To increase the infection rate, the attackers embedded multiple execution triggers within the malicious repositories, Microsoft explained . These are summarized as follows: VS Code trigger – A .vscode/tasks.json file set with runOn: "folderOpen" executes a Node script as soon as the project folder is opened (and trusted). Dev server trigger – When the developer runs npm run dev, a trojanized asset (e.g., a modified JS library) decodes a hidden URL, fetches a loader from a remote server, and executes it in memory. Backend startup trigger – On server start, a backend module decodes a base64 endpoint from .env, sends process.env to the attacker, receives JavaScript in response, and executes it using new Function(). The infection process drops a JavaScript payload (Stage 1) that profiles the host and registers with a command-and-control (C2) endpoint, polling the server at fixed intervals. The infection then upgrades to a tasking controller (Stage 2) that connects to a separate C2 server, checks for tasks, executes supplied JavaScript in memory, and tracks spawned processes. The payload also supports file enumeration, directory browsing, and staged file exfiltration. Stage 2's server polling function Source: Microsoft Microsoft found that the campaign involved multiple repositories that shared naming conventions, loader structure, and staging infrastructure, indicating a coordinated effort rather than a one-off attack. Aside from the technical analysis, the researchers did not provide any details about the attacker or the extent of the operation. The tech giant advises that developers should treat standard workflows as the high-risk attack surfaces they really are and take appropriate precautions. The recommended mitigations include enforcing VS Code Workspace Trust/Restricted Mode, using Attack Surface Reduction (ASR) rules, and monitoring risky sign-ins with Entra ID Protection. Secrets stored on developer endpoints should be minimized, and short-lived tokens with the least required privileges should be used where possible. The future of IT infrastructure is here Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use. Get the guide Related Articles: Malicious AI extensions on VSCode Marketplace steal developer data Windows 11 KB5077241 update improves BitLocker, adds Sysmon tool Windows 11 KB5074105 update fixes boot, sign-in, and activation issues Microsoft adds Copilot data controls to all storage locations Spain arrests suspected hacktivists for DDoSing govt sites