• Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. • Telemetry collected during this investigation indicates the activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution. • During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises. • Further investigation expanded the scope by reviewing repository contents, naming conventions, and shared coding patterns. • These artifacts were cross-referenced against publicly available code-hosting platforms. • This process uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.

Article Summaries:

  • Microsoft Defender experts uncovered a coordinated campaign that targets developers by distributing malicious Next.js repositories masquerading as legitimate projects and technical assessment materials. The attackers use job‑themed lures to blend into routine development workflows, increasing the chance of code execution. Defender telemetry linked Node.js processes to attacker‑controlled command‑and‑control (C2) servers, revealing a lightweight registration stage that delivers bootstrap code before pivoting to a persistent controller. Analysts expanded the scope by identifying shared naming conventions (e.g., “Cryptan”, “JP‑soccer”) and structural patterns across multiple repositories, uncovering additional variants that employ the same loader logic and staging infrastructure. The campaign converges on runtime retrieval and local execution of attacker‑controlled JavaScript, enabling staged data exfiltration and persistent tasking.

Sources: