Hacker Job Lures: Next.js Repositories Turned Into Developer Backdoors

It began with what looked like a promising job opportunity - a coding assessment, a technical project, a new Next.js repository to show off your skills. But behind the familiar workflow and seemingly legit files, attackers had set a trap. As developers opened, built, or ran these projects, they unknowingly handed hackers the keys to their systems, exposing sensitive data and risking organizational security. Microsoft’s latest investigation has pulled back the curtain on a chilling new frontier: developer-targeted supply chain attacks hiding in plain sight.

A New Breed of Developer Attacks

Microsoft’s threat intelligence teams identified a wave of attacks where cybercriminals published Next.js repositories disguised as coding tests or demo projects. The targets? Developers, who are often required to clone, open, and run unfamiliar code as part of their daily work or during interviews.

Unlike classic malware, these attacks blend into legitimate workflows. The malicious payloads are triggered by normal actions - opening a project in Visual Studio Code, starting a development server, or running a build script. Attackers rely on files like .vscode/tasks.json to launch Node.js tasks automatically, or on tainted assets like jquery.min.js to fetch and execute attacker-controlled JavaScript in memory. In some cases, cleverly encoded environment variables facilitate remote code execution, stealing sensitive cloud keys and credentials in the process.

The campaign’s infrastructure reveals careful planning: repositories use job-themed names such as “Cryptan”, “JP-soccer”, and “RoyalJapan”, and repeat technical patterns to evade suspicion. Microsoft analysts traced suspicious Node.js processes making repeated outbound connections to attacker infrastructure, uncovering a common multi-stage backdoor. The first stage profiles the developer’s system and establishes persistence; the second stage allows attackers to browse directories, exfiltrate files, and execute arbitrary commands - all without dropping traditional malware files.

What makes this threat uniquely dangerous is its exploitation of developer trust and automation. The attackers understand that developers often grant broad permissions to unfamiliar code, especially in recruitment or collaborative settings, turning routine tasks into a hidden attack surface.

Defense: Trust, Verify, and Monitor

Microsoft urges organizations to treat developer environments as high-value targets and to enforce strict trust boundaries. Visual Studio Code’s Workspace Trust and Restricted Mode should remain enabled for unknown projects, and all automation files should be carefully reviewed before granting trust. Security teams are advised to monitor for unusual Node.js network activity - particularly repeated connections to domains like vercel.app - and to use advanced hunting capabilities to detect suspicious behaviors.

As the lines between software development and cybercrime blur, vigilance is the new job requirement. In a world where even a job interview project can be weaponized, developers and organizations alike must rethink what - and who - they trust.

WIKICROOK

• Next.js: Next.js is a React-based framework for building fast, scalable web applications with server-side rendering and improved SEO.
• Node.js: Node.js is a platform for running JavaScript outside browsers, often on servers. It can be exploited to execute malware or automate attacks.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Visual Studio Code Workspace Trust: Workspace Trust in VS Code limits code execution and tasks in untrusted projects, helping protect users from malicious scripts and unsafe configurations.
• Remote Code Execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.