Fake 'interview' repos lure Next.js devs into running secret-stealing malware
The Register
February 25, 2026
AI-Generated Deep Dive Summary
Hackers are exploiting Next.js developers by creating malicious GitHub repositories that appear legitimate, targeting them with secret-stealing malware. Microsoft identified these fake "interview" repos as a new vector for cyberattacks, where attackers disguise their projects to mimic real hiring processes. These repositories use various methods to execute malicious JavaScript during developers' routine tasks, such as opening VS Code workspaces or running npm commands. Once executed, the malware establishes communication with attacker-controlled command-and-control (C2) infrastructure, enabling data exfiltration of personal information, source code, secrets, or cloud credentials.
The attacks are designed to blend in seamlessly with normal development workflows. For instance, one variant triggers malicious activity when a developer opens and trusts the project in VS Code, executing a JavaScript loader retrieved from Vercel. Other methods involve embedding malicious logic in assets or backend modules, which activates upon running the development server via commands like `npm run dev` or during backend initialization. All these paths ultimately lead to the same outcome: establishing a hidden connection to the attacker's C2 infrastructure for further instructions.
The malware also employs advanced techniques to evade detection. The C2 controller rotates its identifiers and tracks processes to avoid raising suspicion, while in-memory execution minimizes on-disk traces, making it harder for anti-malware tools or defenders to detect unusual activity. This persistence allows attackers to maintain long-term access, exfiltrate sensitive data, or execute malicious tasks without disrupting the infected machine's performance.
The
Verticals
tech
Originally published on The Register on 2/25/2026