North Korea fake job-recruitment campaign using malicious Next.js repositories
Campaign
Summary
Hide ▲
Show ▼
The North Korea-linked campaign now targets developers with malicious Next.js repositories, creating remote code execution and a persistent C2 channel on infected systems. The lures pose as legitimate projects and technical assessment materials, increasing the chance that victims will open or run the code. The risk matters because the operation can expose source code, secrets, and access to build or cloud resources.
Related Happenings
UNC1069 open-source maintainer social-engineering campaign
Campaign
First: 04.04.2026 23:30
Last: 04.04.2026 23:30
Sources 1
About this happening:
UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
UNC1069 open-source maintainer social-engineering campaign
CampaignAbout this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
Latest development: 06.04.2026 23:55
Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
StoatWaffle malware distributed through malicious VS Code projects
Malware Activity
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...
StoatWaffle malware distributed through malicious VS Code projects
Malware ActivityAbout this happening: The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Anxun Information Technology (i-Soon) internal operations and toolkit leak
Data Leak
First: 17.03.2026 20:41
Last: 17.03.2026 20:41
Sources 1
About this happening:
In **mid-February 2024**, **Anxun Information Technology (i-Soon)** suffered a **data leak** that exposed its **internal operations** and **offensive toolkit**, revealing details...
Anxun Information Technology (i-Soon) internal operations and toolkit leak
Data LeakAbout this happening: In **mid-February 2024**, **Anxun Information Technology (i-Soon)** suffered a **data leak** that exposed its **internal operations** and **offensive toolkit**, revealing details...
Timeline
-
25.02.2026 18:42 2 articles · 3mo ago
Microsoft discloses North Korea-linked malicious Next.js repository campaign
Initial DisclosureMicrosoft disclosed a North Korea-linked campaign targeting developers with malicious Next.js repositories disguised as legitimate projects and technical assessment materials, using execution paths that can trigger remote code execution on developer systems and establish persistent command-and-control channels. Microsoft Defender flagged suspicious outbound connections from Node.js processes to attacker-controlled infrastructure and traced the activity to Trojanized repositories that abuse Visual Studio Code workspace automation or embedded malicious logic, with the stated objective of reaching source code, environment secrets, and access to build or cloud resources.
Show sources
- Malicious Next.js Repos Target Developers Via Fake Job Interviews — www.darkreading.com — 25.02.2026 18:42
- Malicious Next.js Repos Target Developers Via Fake Job Interviews — www.darkreading.com — 25.02.2026 18:42