Developer-Targeting Campaign Using Malicious Next.js Repositories
Summary:
Microsoft Defender Experts have uncovered a highly coordinated campaign targeting software developers through malicious repositories hosted on platforms like Bitbucket, disguised as legitimate Next.js projects and recruitment "coding tests." The investigation, which began after detecting suspicious outbound Node.js traffic, revealed a sophisticated multi-stage infection chain designed to execute entirely in memory. The campaign uses three distinct "Path" execution triggers:
Security Officer Comments:
This campaign represents a critical shift in the threat landscape where the developer’s workstation is treated as a high-value, "privileged" target. Because developers often possess elevated permissions to production environments, source code repositories, and CI/CD pipelines, a single successful compromise can facilitate a massive supply chain attack. The actor’s use of "job-themed lures", such as naming repositories Cryptan-Platform-MVP1, exploits the professional vulnerability of individual contributors. From an IT-ISAC perspective, this is not just a workstation threat but a direct threat to the integrity of the software developed and maintained by our member organizations. The in-memory execution of JavaScript payloads makes this particularly difficult to detect with traditional file-based antivirus, as the malicious activity resides within the context of trusted developer tools like node.exe or code.exe.
Suggested Corrections:
What to do now if you’re affected
Defending against the threat or attack being discussed
https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
Microsoft Defender Experts have uncovered a highly coordinated campaign targeting software developers through malicious repositories hosted on platforms like Bitbucket, disguised as legitimate Next.js projects and recruitment "coding tests." The investigation, which began after detecting suspicious outbound Node.js traffic, revealed a sophisticated multi-stage infection chain designed to execute entirely in memory. The campaign uses three distinct "Path" execution triggers:
- Path 1 (IDE Automation): Abusing Visual Studio Code’s .vscode/tasks.json with the runOn: folderOpen attribute to trigger malicious scripts the moment a developer opens the project.
- Path 2 (Build-Time Execution): Embedding malicious logic in common developer commands like npm run dev, where the malware is hidden within application assets or configuration files.
- Path 3 (Server-Side Logic): Injecting code into backend modules or routes that execute during server initialization or at require-time when the application starts.
Security Officer Comments:
This campaign represents a critical shift in the threat landscape where the developer’s workstation is treated as a high-value, "privileged" target. Because developers often possess elevated permissions to production environments, source code repositories, and CI/CD pipelines, a single successful compromise can facilitate a massive supply chain attack. The actor’s use of "job-themed lures", such as naming repositories Cryptan-Platform-MVP1, exploits the professional vulnerability of individual contributors. From an IT-ISAC perspective, this is not just a workstation threat but a direct threat to the integrity of the software developed and maintained by our member organizations. The in-memory execution of JavaScript payloads makes this particularly difficult to detect with traditional file-based antivirus, as the malicious activity resides within the context of trusted developer tools like node.exe or code.exe.
Suggested Corrections:
What to do now if you’re affected
- If a developer endpoint is suspected of running this repository chain, the immediate priority is containment and scoping. Use endpoint telemetry to identify the initiating process tree, confirm repeated short-interval polling to suspicious endpoints, and pivot across the fleet to locate similar activity using Advanced Hunting tables such as DeviceNetworkEvents or DeviceProcessEvents.
- Because post-execution behavior includes credential and session theft patterns, response should include identity risk triage and session remediation in addition to endpoint containment. Microsoft Entra ID Protection provides a structured approach to investigate risky sign-ins and risky users and to take remediation actions when compromise is suspected.
- If there is concern that stolen sessions or tokens could be used to access SaaS applications, apply controls that reduce data movement while the investigation proceeds. Microsoft Defender for Cloud Apps Conditional Access app control can monitor and control browser sessions in real time, and session policies can restrict high-risk actions to reduce exfiltration opportunities during containment.
Defending against the threat or attack being discussed
- Harden developer workflow trust boundaries. Visual Studio Code Workspace Trust and Restricted Mode are designed to prevent automatic code execution in untrusted folders by disabling or limiting tasks, debugging, workspace settings, and extensions until the workspace is explicitly trusted. Organizations should use these controls as the default posture for repositories acquired from unknown sources and establish policy to review workspace automation files before trust is granted.
- Reduce build time and script execution attack surface on Windows endpoints. Attack surface reduction rules in Microsoft Defender for Endpoint can constrain risky behaviors frequently abused in this campaign class, such as running obfuscated scripts or launching suspicious scripts that download or run additional content. Microsoft provides deployment guidance and a phased approach for planning, testing in audit mode, and enforcing rules at scale.
- Strengthen prevention on Windows with cloud delivered protection and reputation controls. Microsoft Defender Antivirus cloud protection provides rapid identification of new and emerging threats using cloud-based intelligence and is recommended to remain enabled. Microsoft Defender SmartScreen provides reputation-based protection against malicious sites and unsafe downloads and can help reduce exposure to attacker infrastructure and socially engineered downloads.
- Protect identity and reduce the impact of token theft. Since developer systems often hold access to cloud resources, enforce strong authentication and conditional access, monitor for risky sign ins, and operationalize investigation playbooks when risk is detected. Microsoft Entra ID Protection provides guidance for investigating risky users and sign ins and integrating results into SIEM workflows.
- Control SaaS access and data exfiltration paths. Microsoft Defender for Cloud Apps Conditional Access app control supports access and session policies that can monitor sessions and restrict risky actions in real time, which is valuable when an attacker attempts to use stolen tokens or browser sessions to access cloud apps and move data. These controls can complement endpoint controls by reducing exfiltration opportunities at the cloud application layer. [learn.microsoft.com], [learn.microsoft.com]
- Centralize monitoring and hunting in Microsoft Sentinel. For organizations using Microsoft Sentinel, hunting queries and analytics rules can be built around the observable behaviors described in this blog, including Node.js initiating repeated outbound connections, HTTP based polling to attacker endpoints, and staged upload patterns. Microsoft provides guidance for creating and publishing hunting queries in Sentinel, which can then be operationalized into detections.
- Operational best practices for long term resilience. Maintain strict credential hygiene by minimizing secrets stored on developer endpoints, prefer short lived tokens, and separate production credentials from development workstations. Apply least privilege to developer accounts and build identities, and segment build infrastructure where feasible. Combine these practices with the controls above to reduce the likelihood that a single malicious repository can become a pathway into source code, secrets, or deployment systems.
https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/