MICROSOFT Defender Experts and the Microsoft Defender Security Research Team describe a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next[.]js projects and recruitment-themed technical assessments. Telemetry indicates the activity blends into normal developer workflows, leveraging actions such as opening a repository, running a dev server, or starting a backend to trigger code execution.
The campaign uses multiple entry points that culminate in runtime retrieval and in‑memory execution of attacker‑controlled JavaScript, with Stage 1 establishing a host profile and a durable identifier before pivoting to a Stage 2 C2 controller that provides persistent tasking.
Observed delivery mechanisms include a Bitbucket-hosted repository framed as an interview exercise and loader logic injected into trojanised assets such as next.config[.]js and jquery[.]js, which then fetch remote loaders from Vercel staging domains like price-oracle-v2.vercel[.]app.
Defences emphasise hardening developer workflows, reducing the attack surface of build and script execution, and enabling rapid containment, with Microsoft Defender XDR detections highlighting repeated outbounds, staged uploads, and in‑memory code execution patterns. 24 February 2026.