By The Hacker News
Publication Date: 2026-02-26 10:35:00
A “coordinated developer-targeting campaign” is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines.
“The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week.
The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).
The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick developers looking for jobs into running as part of an assessment process.
Further analysis of the…