Microsoft found attackers weaponizing Next.js “technical assessments” that trigger C2 the moment you open the project in VS Code. Three execution paths, same backdoor.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Microsoft Defender Experts uncovered a campaign targeting developers via fake job interview coding challenges hosted on Bitbucket. Malicious Next.js repositories execute backdoors through three paths: VS Code workspace automation via tasks.json, build-time execution through trojanized assets, and server startup via base64-encoded .env endpoints. All paths lead to a two-stage C2 system that registers the victim machine and executes attacker-supplied JavaScript. Post-compromise behavior includes credential theft, session hijacking, and exfiltration of .env secrets like AWS keys and GitHub tokens. Mitigations include using VS Code Restricted Mode, reviewing config files before trusting repos, running assessments in VMs, and monitoring for suspicious Node.js outbound connections.

Fake Job Interviews Are Installing Backdoors on Developer Machines