Ethical Hacking News
A global supply chain attack has been uncovered, where fake Next.js job repos are used to deliver in-memory malware. North Korean actors have leveraged legitimate developer platforms to execute a coordinated campaign targeting developers worldwide. The report highlights the importance of securing developer workflow trust boundaries and using reputable security tools and platforms to prevent such threats.
Threat actors used fake Next.js job repos to deliver in-memory malware. The attack was linked to North Korean threat actors, with multiple entry points leading to the same outcome. Legitimate developer platforms like Bitbucket were leveraged to spread malware. Visual Studio Code workspace automation configuration was used to run malicious code. Build-time execution during application development was also exploited. Environment exfiltration and dynamic remote code execution were used in the attack. Cybersecurity experts emphasize securing developer workflow trust boundaries, authentication, credential hygiene, least privilege access, and separating build infrastructure.
Threat Intelligence Report Reveals Coordinated Attack Campaign Targeting Developers Worldwide, With North Korean Actors Leveraging Legitimate Developer Platforms to Spread Malware
A recent report by Microsoft's Defender Security Research Team has shed light on a coordinated attack campaign targeting developers worldwide, with the malicious actors using fake Next.js job repos to deliver in-memory malware. The attack, which has been linked to North Korean threat actors, is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).
The attackers, who have leveraged legitimate developer platforms like Bitbucket, used names such as "Cryptan-Platform-MVP1" to trick developers looking for jobs into running as part of an assessment process. Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker-controlled JavaScript directly in memory.
The attacks rely on the use of Visual Studio Code workspace automation configuration to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. This involves the use of the runOn: "folderOpen" to configure the task, which triggers the execution of malicious code when the developer opens and trusts a specific folder or directory.
In addition to Visual Studio Code, the attackers have also used build-time execution during application development, where manually running the development server via "npm run dev" is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js. The retrieved payload is then executed in memory by Node.js.
The threat actors have also exploited environment exfiltration and dynamic remote code execution using server startup, where launching the application backend causes malicious loader logic concealed within a backend module or route file to be executed. This loader transmits the process environment to an external server and executes JavaScript received as a response in memory within the Node.js server process.
In light of this report, cybersecurity experts have emphasized the importance of securing developer workflow trust boundaries, enforcing strong authentication and conditional access, maintaining strict credential hygiene, applying the principle of least privilege to developer accounts, and separating build infrastructure where feasible. The use of legitimate developer platforms like Bitbucket has also been highlighted as a potential vulnerability in this attack campaign.
GitLab, which banned 131 unique accounts engaged in distributing malicious code projects linked to the Contagious Interview campaign, noted that threat actors typically originated from consumer VPNs when interacting with GitLab.com to distribute malware. The platform's Oliver Smith stated that in almost 90% of cases, threat actors created accounts using Gmail email addresses.
Furthermore, GitLab discovered a private project "almost certainly" controlled by a North Korean national managing a North Korean IT worker cell that contained detailed financial and personnel records showing earnings of more than $1.64 million between Q1 2022 and Q3 2025. The project included over 120 spreadsheets, presentations, and documents tracking quarterly income performance for individual team members.
This report highlights the evolving nature of supply chain attacks, where malicious actors are increasingly leveraging legitimate developer platforms to spread malware. As cybersecurity experts emphasize the importance of vigilance in protecting against such threats, it is clear that the use of reputable security tools and platforms will be crucial in preventing the spread of such malicious campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Supply-Chain-Attack-How-Fake-Nextjs-Job-Repos-Deliver-In-Memory-Malware-ehn.shtml
https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
https://cybersecuritynews.com/malicious-next-js-repositories/
Published: Thu Feb 26 05:39:13 2026 by llama3.2 3B Q4_K_M
