Full Report
A "coordinated developer-targeting campaign" is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines. "The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code
Analysis Summary
# Tool/Technique: Developer-Targeting In-Memory Malware Campaign
## Overview
A coordinated campaign targets software developers by hosting malicious repositories disguised as legitimate Next.js projects or technical assessments on developer platforms (like Bitbucket). The primary goal is to trick victims into executing the code, leading to the download and in-memory execution of attacker-controlled JavaScript, establishing persistent C2 access.
## Technical Details
- Type: Technique/Malware Delivery Mechanism
- Platform: Windows (Implied based on VS Code context, targeting Node.js runtime)
- Capabilities: Execution via VS Code automation, build-time execution, environment exfiltration, dynamic remote code execution in memory.
- First Seen: Prior to February 26, 2026 (Reported date)
## MITRE ATT&CK Mapping
The execution paths described align with several initial access and execution techniques:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Could apply if repositories are considered external code sources)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.006 - Command and Scripting Interpreter: Python (If general scripting/Node.js is involved)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by the goal of establishing persistent access, though specific persistence mechanism isn't detailed beyond C2 polling)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Used for C2 polling and fetching payloads)
## Functionality
### Core Capabilities
- **Initialization/Profile:** The initial JavaScript payload profiles the host machine.
- **Registration:** Periodically polls a registration endpoint to obtain a unique `instanceId` for correlating activity.
- **Dynamic Code Loading:** Capable of executing server-provided JavaScript code directly in memory within the Node.js process.
- **Controller Hand-off:** Establishes a second-stage controller for receiving tasks, maintaining stability, and implementing retry logic.
### Advanced Features
- **In-Memory Execution:** The primary technique is retrieving and executing JavaScript payloads directly in memory, minimizing disk artifacts.
- **Workflow Integration:** Exploits trust mechanisms within developer environments (VS Code workspace configuration, `npm run dev`).
- **Environment Exfiltration:** One path involves transmitting the host's process environment variables to an external server dynamically.
- **Resilience:** The Stage 2 controller includes error telemetry posting and retry logic for stability.
## Indicators of Compromise
*Note: Specific hashes/domains are not provided in the summary context, only the mechanism.*
- File Hashes: [Not provided/Not applicable to the transient memory payload]
- File Names: Modified files masquerading as `jquery.min.js`.
- Registry Keys: [Not specified]
- Network Indicators: C2 traffic directed toward domains hosted on **Vercel** (used for staging and initial payload retrieval). A distinct C2 server handles follow-on tasking.
- Behavioral Indicators:
- Execution of attacker-controlled JavaScript via VS Code `runOn: "folderOpen"` tasks upon opening a project.
- Execution of `npm run dev` triggering malicious code embedded in dependencies.
- Node.js process making network connections to retrieve and execute remote scripts in memory.
## Associated Threat Actors
- Not explicitly attributed to a specific group, but the tactics used (VS Code tasks, Vercel domains for staging) align with activity associated with **North Korea-linked hackers** linked to the **Contagious Interview** campaign.
## Detection Methods
- Signature-based detection: [Not explicitly detailed, likely requires signatures for the initial malicious configuration files or known Vercel staging domains.]
- Behavioral detection: Monitoring for:
- Unintended execution of scripts triggered by IDE workspace settings (`.code-workspace` files).
- Node.js processes fetching and executing remote scripts from suspicious external sources during build/startup.
- Unexpected outbound connections correlated with file operations (e.g., opening project folders).
- YARA rules if available: [Not provided]
## Mitigation Strategies
- **Prevention measures:** Exercise extreme caution when downloading and running code from untrusted or anonymous repositories, even for job assessments.
- **Hardening recommendations:**
- Restrict or carefully audit permissions for automated execution features embedded in IDE workspaces (e.g., VS Code tasks).
- Implement strong network segmentation and egress filtering to monitor or block unauthorized connections initiated by development processes (like Node.js).
- Review dependency trees of projects before running build scripts.
## Related Tools/Techniques
- **Contagious Interview:** Campaign exhibiting similar use of VS Code tasks and external staging services.
- Malicious use of **GitHub Gists** as an alternative staging server noted in related analysis.