{"id":15866,"date":"2026-02-25T11:12:09","date_gmt":"2026-02-25T11:12:09","guid":{"rendered":"https:\/\/newestek.com\/?p=15866"},"modified":"2026-02-25T11:12:09","modified_gmt":"2026-02-25T11:12:09","slug":"microsoft-warns-of-job-themed-repo-lures-targeting-developers-with-multi-stage-backdoors","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15866","title":{"rendered":"Microsoft warns of job\u2011themed repo lures targeting developers with multi\u2011stage backdoors"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments. The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected.<\/p>\n<p>Telemetry collected during an incident investigation by Microsoft suggested the campaign\u2019s alignment with a broader cluster of threats using job-themed tricks. \u201cDuring initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises,\u201d the company wrote in a security blog <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/02\/24\/c2-developer-targeting-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>. \u201cFurther investigation uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.\u201d<\/p>\n<p>The campaign exploits developers\u2019 trust in shared code, gaining persistence within high-value developer systems that often contain source code, environment secrets, credentials, and access to build or cloud infrastructure.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Multiple triggers for remote control<\/h2>\n<p>Microsoft researchers found that the malicious repositories were engineered with redundancy, offering several execution paths that ultimately result in the same backdoor behavior.<\/p>\n<p>In some cases, simply opening the project in <a href=\"https:\/\/www.csoonline.com\/article\/3956464\/warning-to-developers-stay-away-from-these-10-vscode-extensions.html\">Visual Studio Code<\/a> was enough. The attackers abused workspace automation by embedding tasks configured to run automatically when a folder is opened and trusted. This causes code execution without the developer running anything.<\/p>\n<p>Other variants rely on build processes or server startup routines, ensuring that the malicious code runs when developers perform typical actions such as launching a development server. Regardless of the trigger, the repositories retrieve additional <a href=\"https:\/\/www.csoonline.com\/article\/572015\/npm-javascript-registry-suffers-massive-influx-of-malware-report-says.html\">JavaScripts<\/a> from remote infrastructure and execute it in memory, reducing traces on disk.<\/p>\n<p>The retrieved payload operates in stages. An initial registration component identifies the host and can deliver bootstrap instructions, after which a separate C2 controller provides persistence and enables follow-on actions such as payload delivery and data exfiltration.<\/p>\n<h2 class=\"wp-block-heading\" id=\"infection-through-a-fake-coding-test\">Infection through a fake \u201ccoding test\u201d<\/h2>\n<p>Microsoft said the investigation started with analyzing the suspicious outbound connections from Node.js processes communicating with attacker-controlled servers. Correlating network activity with process telemetry led analysts back to the original infection through recruiting exercises.<\/p>\n<p>One of the repositories was hosted on Bitbucket and presented as a technical assessment, along with a related repository using the Cryptan-Platform-MVP1 naming convention. \u201cMultiple repositories followed repeatable naming conventions and project \u2018family\u2019 patterns, enabling targeted searches for additional related repositories that were not directly referenced in observed telemetry but exhibited the same execution and staging behavior,\u201d Microsoft wrote.<\/p>\n<p>When an infection is suspected, Microsoft warns that affected organizations must immediately contain suspected endpoints, trace the initiating process tree, and hunt for repeated polling to suspicious infrastructure across the fleet. Because credential and session theft may follow, responders should evaluate identity risk, revoke sessions, and restrict high-risk SaaS actions to limit exposure during investigation.<\/p>\n<p>Long-term mitigations include a focus on tightening developer trust boundaries and reducing execution risk, Microsoft added. Other recommendations include enforcing Visual Studio Code Workspace Trust defaults, applying attack surface reduction rules, enabling cloud-based reputation protections, and strengthening conditional access.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft says it has uncovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessments. The campaign employs carefully crafted lures to blend into routine workflows, such as cloning repositories, opening projects, and running builds, thereby allowing the malicious code to execute undetected. Telemetry collected during an incident investigation by Microsoft suggested the campaign\u2019s alignment with a broader&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15866\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15866","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15866"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15866\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}