Exposed: The Backdoor Developer’s Devices – A Next.js Job Interview Test Exposed

A well-coordinated campaign has been launched to target software developers using job-themed bait, which involves malicious repositories posing as legitimate Next.js projects and technical assessment materials, including coding tests for recruitment.

The main objective of the attackers is to achieve remote code execution (RCE) on developer machines, steal sensitive data, and introduce additional malicious payloads on compromised systems.

Next.js is a widely-used JavaScript framework for building web applications that operates on top of React and utilizes Node.js for the backend.

According to the Microsoft Defender team, the attackers have created fake web app projects built with Next.js, disguising them as coding projects to share with developers during job interviews or technical assessments.

Initially, a repository hosted on the Bitbucket platform was identified by researchers, but they later discovered multiple repositories with similar code structure, loader logic, and naming patterns.

When a target clones the repository and opens it on their local machine following a standard workflow, they inadvertently trigger malicious JavaScript that automatically executes upon launching the app.

This script downloads additional malicious code (a JavaScript backdoor) from the attacker’s server and runs it directly in memory within the running Node.js process, enabling remote code execution on the machine.

To increase the infection rate, the attackers have embedded multiple execution triggers within the malicious repositories. These triggers include a VS Code trigger, a dev server trigger, and a backend startup trigger.

The infection process involves dropping a JavaScript payload (Stage 1) that profiles the host and connects to a command-and-control (C2) endpoint, checking for tasks and executing supplied JavaScript in memory.

The infection then progresses to a tasking controller (Stage 2) that connects to a separate C2 server, executes provided JavaScript in memory, and supports functions like file enumeration, directory browsing, and staged file exfiltration.

Microsoft has noted that the campaign involves multiple repositories with similar characteristics, indicating a coordinated effort rather than a one-time attack.

Developers are advised to treat standard workflows as high-risk attack surfaces and take necessary precautions. Recommendations include enforcing VS Code Workspace Trust/Restricted Mode, utilizing Attack Surface Reduction (ASR) rules, and monitoring risky sign-ins with Entra ID Protection.

It is also recommended to minimize secrets stored on developer endpoints and use short-lived tokens with the least required privileges whenever possible.