North Korean Hackers Target Devs with Fake Next.js Jobs

North Korean-linked hackers are running a slick, persistent operation that turns the job hunt into a security nightmare for developers. They have created phony repositories (usually disguised as Next.js with coding assessments) for the purpose of deceiving individuals into downloading harmful code, which then allows the offender to gain access to the victim's machine for an extended period. Microsoft's Defender Security Research Team presented a comprehensive analysis of this operation that revealed it to be a well-organized scam blended into normal daily developer activities. The goal? Sneak in attacker-controlled JavaScript at runtime, set up command-and-control (C2), and eventually turn that initial foothold into persistent, low-footprint access. The lures are straightforward but effective: threat actors create bogus repos on platforms like Bitbucket with enticing names (think "Cryptan-Platform-MVP1") and pitch them as part of a job interview process. Developers eager to impress clone the repo, open it, and unwittingly trigger one of several execution paths, all leading to the same malicious JavaScript payload fetched from a Vercel-hosted domain and run directly in memory. **Microsoft outlined three distinct ways that code can be executed:** 1. VS Code workspace magic , The project is stored with context in a file named .vscode/tasks.json, and within that file is defined runOn: "folderOpen". Therefore, when a developer opens the respective folder and confirms its authenticity, VS Code automatically executes a task to retrieve and run the related remote JavaScript code. 2. Build-time surprise , Running the standard npm run dev command (a reflex for most Next.js devs) activates hidden malicious logic inside altered libraries pretending to be something innocent like jquery.min.js. It fetches a loader from Vercel, executes it in Node.js memory, and off it goes. 3. Server startup hook , Launching the backend server executes concealed loader code in a route or module file. This exfiltrates the process environment variables to an external server and then runs whatever JavaScript comes back in memory, of course. Once the initial payload lands, it profiles the machine, polls a registration endpoint for a unique instance ID (to keep track of victims), and sets up a resilient Stage 2 controller. That controller handles tasking from a separate C2 server, executes commands in memory (minimizing disk artifacts), reports errors, retries failed actions, tracks child processes, and even cleans up gracefully when told to stop. The attackers also support on-demand discovery and data exfiltration, making developer machines, full of source code, API keys, secrets, and credentials, prime pivots into bigger networks. Microsoft stops short of firm attribution but notes the heavy use of VS Code tasks and Vercel for staging mirrors tactics seen in the long-running Contagious Interview campaign, widely linked to North Korea-affiliated actors. These operations often chase both espionage and financial gain, especially cryptocurrency-related theft. Other researchers have spotted related evolutions. Abstract Security highlighted a recent shift: attackers are moving away from direct Vercel URLs in VS Code tasks, opting instead for GitHub Gists (gist.githubusercontent.com) or URL shorteners like short.gy to mask them. They've also tied in a malicious npm package called eslint-validator, which pulls an obfuscated BeaverTail payload from Google Drive. Red Asgard observed even craftier resilience: some payloads query the Polygon blockchain to fetch JavaScript hidden in an NFT contract. GitLab recently took action, banning 131 accounts tied to this campaign and the related Wagemole fraudulent IT worker scheme. Most accounts originated from consumer VPNs, though some used dedicated VPS or laptop-farm IPs. Nearly 90% used Gmail addresses, and in over 80% of cases, attackers leaned on legitimate services (Vercel topping the list at 49 instances in 2025) to host payloads, think JSON Keeper, Mocki, npoint.io, Render, and Railway.app. GitLab also uncovered a private project almost certainly run by a North Korean national overseeing an IT worker cell. It contained detailed financials and personnel records showing earnings exceeding $1.64 million from Q1 2022 through Q3 2025, complete with spreadsheets tracking individual performance, clear evidence of structured, hierarchical operations with global facilitators for money laundering resilience. Okta has observed that while most fake IT worker interviews fizzle out quickly, the more skilled actors are adapting, landing temporary contracts at companies with lax background checks. It's a kind of adversarial natural selection: the best personas rack up hundreds of interviews. Microsoft sums it up well: a recruiting-themed "interview project" can swiftly become a reliable remote code execution path when it masquerades as normal workflow, opening a repo, firing up dev server, starting the backend. **Defenses to consider** Organizations should tighten trust boundaries in dev environments, enforce strong auth and conditional access, practice strict credential hygiene, apply least privilege to dev accounts and build identities, and isolate build infrastructure when possible. For individual devs: treat unsolicited coding tests with healthy suspicion, especially if they push you to run code locally without sandboxing. In the cat-and-mouse game of supply-chain and social-engineering attacks, this one's particularly insidious because it exploits trust in tools and processes we use every day. **Source:** *[The Hacker News](https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html)*