MALICIOUS Next[.]js repositories are being used to target developers with fake job interviews, delivering remote code execution and establishing a persistent command-and-control channel on infected machines. Microsoft sounded the alarm, noting that Trojanized repos masquerade as legitimate Next[.]js projects and technical assessments to inject attacker-controlled JavaScript.
According to Microsoft, the campaign uses multiple entry points that converge on runtime retrieval and local execution, transitioning into staged C2 activity. The effort is linked, in broader terms, to North Korea, with researchers describing a cluster of threats that use job-themed lures to facilitate code execution and spying, a pattern associated with Lazarus APT activity.
North Korean actors have previously targeted developers with similar “interview project” schemes, which aim to exfiltrate data and poison the software supply chain. The researchers flagged suspicious outbound Node[.]js connections to attacker-controlled infrastructure traced to Next[.]js repositories exhibiting the same malicious behaviour.
The development community is urged to treat developer workflows as a privileged attack surface and to bolster IDE trust policies, behavioural analytics, and constant monitoring as part of threat detection and response.