https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
Microsoft security researchers have uncovered an attack campaign targeting Next.js developers through malicious code repositories disguised as legitimate job interview projects. The threat actors distribute fake coding assessment tasks that candidates are asked to complete as part of the hiring process, tricking developers into downloading and running compromised repositories on their machines. According to Microsoft, all execution paths identified in the campaign are designed to activate during normal development workflows, with some variants exploiting Visual Studio Code’s workspace automation features to automatically load malicious files as soon as developers open and trust the project. Regardless of the specific execution method employed, all variants ultimately lead to in-memory execution of malicious JavaScript code.
The attack leverages multiple technical approaches to compromise developer systems while maintaining stealth and persistence. Some variants trigger when developers run the project’s development server either directly or through npm commands, with malicious logic embedded in trojanised assets or modified libraries that retrieve and execute a JavaScript loader. Other execution paths activate when developers start the application’s backend, triggering preloaded malicious code hidden in backend modules during server initialisation or module import. Once executed, the malware retrieves a loader from Vercel infrastructure, establishes connections with attacker-controlled command-and-control servers, and begins beaconing for further instructions. The C2 infrastructure can rotate identifiers to evade detection, track spawned processes to avoid performance degradation that might alert victims, and execute JavaScript tasks in memory using a separate Node interpreter to minimise on-disk artifacts.
Microsoft warns that the malware is capable of extensive data exfiltration from developer machines, potentially stealing personal information, source code, secrets, and cloud resource credentials. The C2 controller can receive arrays of JavaScript tasks for remote execution, obey kill-switch commands, and report error telemetry back to attackers for operational refinement. While it seems unlikely that targeted developers would complete these interview assessments on corporate machines, doing so could expose entire organisations to wider compromise. The company recommends that defenders treat developer workflows as a primary attack surface and implement monitoring for unusual Node.js execution, unexpected outbound network connections, and suspicious discovery or upload behaviour originating from development systems.