Microsoft Defender Experts and the Microsoft Defender Security Research Team have uncovered a coordinated cyber campaign that specifically targets software developers by distributing malicious Next.js repositories disguised as legitimate projects and technical assessments. The attackers are using job-themed lures (such as “technical assessment” or “recruitment projects”) to trick developers into cloning and running these repositories as part of normal workflows.

How the Campaign Works

The operation uses multiple methods to trigger malicious code execution, all designed to blend into typical development activities:

1. Visual Studio Code Workspace Automation:
   Some of the repositories include a .vscode/tasks.json file configured to run automatically when the folder is opened in VS Code. Once triggered, this task runs a script that reaches out to attacker infrastructure to fetch and execute malicious JavaScript using Node.js.
2. Build-Time Execution During Development:
   In other cases, the malicious logic is hidden inside seemingly normal application assets (like a trojanized version of a library). When a developer starts the project (for example with npm run dev), this code executes and fetches further payloads from remote staging servers.
3. Server Startup Exploitation with Environment Exfiltration:
   Some variants embed loader logic in backend modules or routes that execute when the server starts. These versions decode a base64-encoded endpoint, send the entire environment (including secrets) to an attacker-controlled server, and then dynamically execute JavaScript returned by the attacker, granting remote code execution in memory.

After any of these initial execution paths, the malicious code establishes a staged command-and-control (C2) infrastructure:

• Stage 1 (Beacon and Registration):
  The first payload acts as a lightweight beacon that identifies and profiles the infected host with attacker servers. It can receive further bootstrap code without ever writing additional files to disk.
• Stage 2 (C2 Controller and Tasking):
  A second stage connects to separate C2 endpoints and establishes a persistent control loop. This controller regularly polls for commands and can execute arbitrary JavaScript tasks in memory via a Node.js process, allowing the attacker to maintain ongoing control and issue instructions.

Why This Matters

This campaign is particularly dangerous because it hides inside routine developer actions — opening a project, running a build, or starting a server — and then uses those trusted contexts to deliver and execute remote code without obvious artifacts on disk.

Developers’ machines often contain high-value assets, including:

• Source code for internal projects
• Environment variables with API keys or cloud credentials
• Access tokens used for build or CI/CD systems

If compromised, attackers could steal sensitive data, pivot into build and cloud systems, and cause widespread damage beyond the initial developer workstation.

Recommendations for Defenders

Microsoft’s guidance includes specific steps to reduce risk and detect this kind of campaign:

• Treat developer workflows as an attack surface and closely monitor Node.js processes with unexpected outbound connections.
• Use Visual Studio Code’s Workspace Trust and Restricted Mode to prevent automatic script runs in untrusted folders.
• Restrict build-time and workspace automation script execution, especially on developer machines.
• Enable attack surface reduction rules and reputation-based protections in Microsoft Defender for Endpoint to block risky behaviors.
• Monitor for unusual activity and implement network detection rules for connections to known malicious IPs.
• Apply least-privilege access to developer credentials and secrets, and separate production credentials from development environments.