Find notable cyber news and cases, enriched with sources, timelines, and signals.

North Korea fake job-recruitment campaign using malicious Next.js repositories

Campaign
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The North Korea-linked campaign now targets developers with malicious Next.js repositories, creating remote code execution and a persistent C2 channel on infected systems. The lures pose as legitimate projects and technical assessment materials, increasing the chance that victims will open or run the code. The risk matters because the operation can expose source code, secrets, and access to build or cloud resources.

Related Happenings

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

UNC1069 open-source maintainer social-engineering campaign

Campaign
H score38 First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

StoatWaffle malware distributed through malicious VS Code projects

Malware Activity
H score29 First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...

OFAC sanctions DPRK IT worker scheme network

Regulatory/Legal Action
H score32 First: 18.03.2026 19:26 Last: 18.03.2026 19:26 Sources 1

About this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
H score35 First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Timeline

  1. 25.02.2026 18:42 2 articles · 4mo ago

    Microsoft discloses North Korea-linked malicious Next.js repository campaign

    Initial Disclosure

    Microsoft disclosed a North Korea-linked campaign targeting developers with malicious Next.js repositories disguised as legitimate projects and technical assessment materials, using execution paths that can trigger remote code execution on developer systems and establish persistent command-and-control channels. Microsoft Defender flagged suspicious outbound connections from Node.js processes to attacker-controlled infrastructure and traced the activity to Trojanized repositories that abuse Visual Studio Code workspace automation or embedded malicious logic, with the stated objective of reaching source code, environment secrets, and access to build or cloud resources.

    Show sources