Malicious Next.js Repos Target Developers Via Fake Job Interviews

Dark Reading

by Elizabeth Montalbano

February 25, 2026

AI-Generated Deep Dive Summary

Malicious actors have launched a sophisticated cyber campaign targeting developers through fake job interviews, leveraging malicious Next.js repositories to gain remote code execution (RCE) access and establish persistent command-and-control (C2) channels. Microsoft has identified this activity as part of a broader cluster of threats linked to North Korea's Lazarus APT group, which has long targeted developers with job-themed lures. These campaigns often involve sending infected repositories or technical assessment materials that, when executed by developers during the interview process, install malicious code on their systems. The malicious repositories are designed to blend seamlessly into routine developer workflows. For instance, some abuse Visual Studio Code's workspace automation features, while others embed obfuscated code directly into development assets. When developers run standard build commands or start a server, the disguised code decodes and fetches additional payloads, leading to the execution of attacker-controlled JavaScript that establishes persistent C2 connections. This allows attackers to exfiltrate data or deploy further malicious activities. The ultimate goal of these campaigns is to compromise developer systems, which often contain high-value assets like

Verticals

securitytech

Originally published on Dark Reading on 2/25/2026