In a technical analysis, Microsoft said a coordinated campaign targeted software developers with fake Next.js projects and coding tests that execute malicious JavaScript when opened or run locally and enable remote code execution.
KEY FACTS
- Incident Fake Next.js repositories and interview materials targeting developers
- Trigger Malicious JavaScript runs on folder open, npm run dev, or backend start
- Impact Remote code execution backdoor installation and potential data exfiltration
- Infrastructure Multiple repositories shared loader structure and staging servers
The first repository was hosted on the Bitbucket cloud service. Multiple repositories shared code structure, loader logic, and naming patterns consistent with a coordinated effort.
When a developer clones and opens the project, a VS Code task or the dev server can run a Node script that downloads a loader from an attacker controlled server and executes it in the running Node.js process in memory.
The infection drops a Stage 1 JavaScript payload that profiles the host and registers with a command and control endpoint. It then upgrades to a Stage 2 controller that polls a separate server, executes supplied JavaScript in memory, enumerates files, tracks processes, and supports staged file exfiltration.
Recommended mitigations include enforcing VS Code Workspace Trust or Restricted Mode, using Attack Surface Reduction rules, monitoring risky sign ins with Entra ID Protection, minimizing secrets on developer endpoints, and using short lived tokens with least privilege. No details about the attacker identity or the scope of the operation were provided.
WHY IT MATTERS
Normal developer workflows and local testing can trigger remote execution, so projects shared during interviews and technical assessments can pose high risk to developer endpoints and to broader software supply chains.