Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments. The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected.
Telemetry collected during an incident investigation by Microsoft suggested the campaign’s alignment with a broader cluster of threats using job-themed tricks. “During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises,” the company wrote in a security blog post. “Further investigation uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.”
The campaign exploits developers’ trust in shared code, gaining persistence within high-value developer systems that often contain source code, environment secrets, credentials, and access to build or cloud infrastructure.
