Malicious Next.js Repositories Target Developers Through Fake Recruitment Projects
A coordinated campaign is targeting software developers through poisoned Next.js repositories disguised as technical assessments and job-related coding challenges.
The operation relies on social engineering rather than traditional exploitation. Developers are lured into cloning and running what appears to be a legitimate project. Once executed, the code establishes outbound communication to attacker-controlled infrastructure, effectively handing over remote access.
How the Campaign Works
The attack was uncovered after security telemetry revealed suspicious outbound connections initiated by Node.js processes on developer machines.
Investigation traced the activity back to malicious repositories hosted on public code platforms. These repositories mimicked legitimate project structures and included naming conventions such as:
Cryptan
RoyalJapan
JP-soccer
SettleMint
Variants labeled demo, master, platform, server
The repositories shared similar loader logic and execution chains, indicating coordinated infrastructure.
Three Execution Paths – One Outcome
Although the delivery methods differ, all execution paths ultimately retrieve and execute attacker-controlled JavaScript at runtime.
1. VS Code Workspace Abuse
When a developer opens the project and trusts the folder, a preconfigured tasks.json file triggers automatic Node.js execution.
The script fetches a remote loader and initiates communication with command-and-control infrastructure.
2. npm run dev Trigger
Starting the development server executes modified frontend assets that decode hidden URLs and retrieve the same malicious loader.
3. Backend Startup Injection
On server initialization, hidden logic extracts encoded endpoints from configuration files, transmits environment variables — including API keys and tokens — and executes remote payloads.
Regardless of entry point, the result is:
System profiling
Periodic beaconing to C2
Remote task execution
File collection and staged exfiltration
Why Developer Machines Are High-Value Targets
Developer endpoints often contain:
Source code
Cloud API keys
Environment secrets
Database credentials
CI/CD access tokens
Compromising a developer workstation is frequently a shortcut to compromising the entire organization.
This represents a supply-chain pivot. Instead of attacking production directly, attackers embed themselves inside the development workflow.
DIAMATIX Perspective
This campaign reflects a broader trend: execution blending into legitimate workflows.
The attack does not rely on exploiting a vulnerability in Next.js itself. It relies on trust.
When malicious logic is embedded in what appears to be normal project structure, traditional perimeter defenses may not trigger alerts.
Security controls should shift focus toward:
Restricting automatic workspace execution
Monitoring unusual Node.js outbound connections
Enforcing strong authentication on developer accounts
Eliminating production secrets from local development machines
Applying attack surface reduction rules for obfuscated scripts
Supply chain risk now includes repositories that look harmless.
Development environments are part of the attack surface.
Recommended Defensive Actions
Organizations should:
Enable Visual Studio Code Workspace Trust and Restricted Mode
Monitor Node.js network connections
Implement conditional access for developer identities
Enforce credential hygiene and secret rotation
Validate external repositories before execution
Security teams should treat unverified repositories as potential execution vectors.
Sources
Information based on public reporting and technical analysis released by Microsoft security researchers and industry cybersecurity reporting platforms.
Trusted · Innovative · Vigilant
