QotNews
Hacker News, Reddit, Lobsters, and Tildes articles rendered in reader mode.

Fake Job Interviews Are Installing Backdoors on Developer Machines

Source: threatroad.substack.com
25 points by juliethefoxcoon 7 hours ago on lobsters | 3 comments

Microsoft Defender Experts uncovered a coordinated campaign targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials . The attack? Job-themed “coding challenges” on Bitbucket that execute backdoors through normal developer workflows.

The campaign was discovered when Node.js processes started beaconing to attacker-controlled C2 infrastructure over HTTP port 3000 in short intervals.
Microsoft traced it back to repositories named things like “Cryptan-Platform-MVP1” framed as recruiting assessments.

Three ways in, one backdoor:

Path 1: VS Code workspace automation. When .vscode/tasks.json is configured with runOn: "folderOpen", malicious tasks execute immediately when you open and trust the project.

Path 2: Build-time execution. Trojanized assets like jquery.min.js contain obfuscated code that fetches JavaScript loaders from Vercel when you run npm run dev.

Path 3: Server startup. Backend routes decode base64-encoded endpoints from .env files, exfiltrate process.env, then execute server-supplied JavaScript using new Function().

All three paths lead to a two-stage C2 system. Stage 1 is a lightweight registrar that polls for a durable instanceId. Stage 2 upgrades to a persistent controller that receives JavaScript tasks via a messages[] array and executes them by piping code into Node via STDIN.

Developer: “I’ll just run this technical assessment for the interview.”

Attacker’s C2: “Thank you for registering. Your instanceId is 47. Here are your tasks.”

Your “coding challenge” just joined a botnet.

If you’re a developer:

  • Keep VS Code Workspace Trust and Restricted Mode enabled for unknown projects

  • Review .vscode/tasks.json and next.config.js before trusting any repository

  • Never run “technical assessments” on your work machine, use a VM

  • Verify job offers through official company channels, not repo links

If you’re a security team:

  • Hunt for Node.js initiating repeated outbound connections to vercel.app domains and C2 IPs

  • Look for detached child Node interpreters: node - processes spawned from parent Node

  • Monitor for suspicious file access to .env, cookies, browser history by node.exe or Code.exe

  • Enable Microsoft Defender attack surface reduction rules to block obfuscated scripts

IOCs to hunt:

  • Domains: api-web3-auth.vercel.app, price-oracle-v2.vercel.app

  • IPs: 87.236.177.9, 147.124.202.208, 163.245.194.216

  • Endpoints: /api/errorMessage, /api/handleErrors, /hsocketNext, /upload, /uploadsecond

This isn’t supply chain poisoning. This is social engineering that exploits how developers work.

The attack leverages multiple execution paths including VS Code workspace automation, build-time execution, and server startup execution to blend into normal developer workflows. Opening a folder, running a dev server, starting a backend, all normal actions, all weaponized.

Post-execution behavior includes credential theft, session theft, directory browsing, and staged file uploads. Developers often have access to source code, cloud credentials, and production systems. Compromise one developer machine, gain access to everything.

The scary part: compromised assets may include source code, environment secrets, and access credentials to build or cloud infrastructure. Your .env file with AWS keys? Exfiltrated. Your GitHub token? Stolen. Your database password? Gone.

Microsoft’s advice: treat developer workflows as a primary attack surface.

- Alex